<!DOCTYPE html>
<!-- saved from url=(0099)http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#TCPSessionReconstruction3 -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
	<title>TCP Session Reconstruction Tool - CodeProject</title> 
	<link type="text/css" rel="stylesheet" href="./TCP Session Reconstruction Tool - CodeProject_files/Main.css">

	

<meta name="Description" content="A TCP session reconstruction tool for C#.; Author: Saar Yahalom; Updated: 22 Sep 2007; Section: Internet / Network; Chapter: General Programming; Updated: 22 Sep 2007">
<meta name="Keywords" content="VC8.0, .NET2.0, VS2005, C#2.0, C++/CLI, Windows, Dev, Intermediate,Internet / Network,General Programming,Free source code, tutorials">
<meta name="Author" content="Saar Yahalom">
<meta name="Rating" content="General">
<meta name="Robots" content="index, follow, NOODP">
<meta name="Revisit-After" content="1 days">
<meta name="application-name" content="CodeProject">
<meta name="google-translate-customization" content="d908bb7ce7aff658-4c2f3a504525c916-g629383f736781a8a-13">

<link rel="dns-prefetch" href="http://ajax.googleapis.com/"> 
<link rel="canonical" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool">


<link rel="alternate" type="application/rss+xml" title="CodeProject Latest articles - All Topics" href="http://www.codeproject.com/WebServices/ArticleRSS.aspx?cat=1">
<link rel="alternate" type="application/rss+xml" title="CodeProject Latest articles - Android" href="http://www.codeproject.com/WebServices/ArticleRSS.aspx?cat=22">
<link rel="alternate" type="application/rss+xml" title="CodeProject Latest articles - iOS" href="http://www.codeproject.com/WebServices/ArticleRSS.aspx?cat=25">
<link rel="alternate" type="application/rss+xml" title="CodeProject Latest articles - C++" href="http://www.codeproject.com/WebServices/ArticleRSS.aspx?cat=2">
<link rel="alternate" type="application/rss+xml" title="CodeProject Latest articles - C#" href="http://www.codeproject.com/WebServices/ArticleRSS.aspx?cat=3">
<link rel="alternate" type="application/rss+xml" title="CodeProject Latest articles - Web" href="http://www.codeproject.com/WebServices/ArticleRSS.aspx?cat=23">
<link rel="alternate" type="application/rss+xml" title="CodeProject Lounge Postings" href="http://www.codeproject.com/webservices/LoungeRSS.aspx">
<link rel="search" type="application/opensearchdescription+xml" title="CodeProject" href="http://www.codeproject.com/info/OpenSearch.xml">

	<!--<base target="_top">--><base href="." target="_top">
	<link rel="icon" href="http://www.codeproject.com/favicon.ico" type="image/ico">
<link rel="shortcut icon" href="http://www.codeproject.com/favicon.ico" type="image/ico">
<link rel="apple-touch-icon" href="http://www.codeproject.com/images/FavIcon-Apple.png" type="image/png">
<script type="text/javascript" language="Javascript">//<![CDATA[
function defrm () { /* thanks twitter */ document.write = ''; window.top.location = window.self.location;  setTimeout(function() { document.body.innerHTML = ''; }, 0);  window.self.onload = function(evt) { document.body.innerHTML = ''; }; }if (window.top !== window.self) {  try {  if (window.top.location.host) { /* will throw */ } else { defrm(); /* chrome */ }  } catch (ex) { defrm(); /* everyone else */ } }if (typeof(DemoUrl)!='undefined')   document.write(unescape('%3Cme')+'ta http'+'-equiv="re'+'fresh"                  con'+'tent="1;url='+DemoUrl+unescape('"%3CE'));
function _dmBootstrap(file) { var _dma = document.createElement('script');  _dma.type = 'text/javascript'; _dma.async = true;  _dma.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + file; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(_dma);}
function _dmFollowup(file) { if (typeof DMAds === 'undefined')  _dmBootstrap('cdn1.developermedia.com/a.min.js?dt=2.8.150205.1');}
(function () { _dmBootstrap('cdn1.developermedia.com/a.min.js?dt=2.8.150205.1'); setTimeout(_dmFollowup, 2000);})();

//]]>
</script><style type="text/css"></style><script type="text/javascript" async="" src="http://cdn1.developermedia.com/a.min.js?dt=2.8.150205.1"></script>

	




<script type="text/javascript">
	var _gaq = _gaq || [];
	_gaq.push(['_setAccount', 'UA-1735123-1']);
	_gaq.push(['_trackPageview']);
	_gaq.push(['_setDomainName', 'www.codeproject.com']);
	_gaq.push(['_setSessionTimeout', '1200']); 

	(function () {
		var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
		ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
		(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(ga);
	})(); 
</script><script type="text/javascript" async="" src="./TCP Session Reconstruction Tool - CodeProject_files/ga.js"></script>


<script type="text/javascript" async="" src="http://cdn1.developermedia.com/a.min.js?dt=2.8.150205.1"></script><link type="text/css" rel="stylesheet" charset="UTF-8" href="./TCP Session Reconstruction Tool - CodeProject_files/translateelement.css"><script type="text/javascript" charset="UTF-8" src="./TCP Session Reconstruction Tool - CodeProject_files/main_zh-CN.js"></script><script type="text/javascript" charset="UTF-8" src="./TCP Session Reconstruction Tool - CodeProject_files/element_main.js"></script><style type="text/css">#yddContainer{display:block;font-family:Microsoft YaHei;position:relative;width:100%;height:100%;top:-4px;left:-4px;font-size:12px;border:1px solid}#yddTop{display:block;height:22px}#yddTopBorderlr{display:block;position:static;height:17px;padding:2px 28px;line-height:17px;font-size:12px;color:#5079bb;font-weight:bold;border-style:none solid;border-width:1px}#yddTopBorderlr .ydd-sp{position:absolute;top:2px;height:0;overflow:hidden}.ydd-icon{left:5px;width:17px;padding:0px 0px 0px 0px;padding-top:17px;background-position:-16px -44px}.ydd-close{right:5px;width:16px;padding-top:16px;background-position:left -44px}#yddKeyTitle{float:left;text-decoration:none}#yddMiddle{display:block;margin-bottom:10px}.ydd-tabs{display:block;margin:5px 0;padding:0 5px;height:18px;border-bottom:1px solid}.ydd-tab{display:block;float:left;height:18px;margin:0 5px -1px 0;padding:0 4px;line-height:18px;border:1px solid;border-bottom:none}.ydd-trans-container{display:block;line-height:160%}.ydd-trans-container a{text-decoration:none;}#yddBottom{position:absolute;bottom:0;left:0;width:100%;height:22px;line-height:22px;overflow:hidden;background-position:left -22px}.ydd-padding010{padding:0 10px}#yddWrapper{color:#252525;z-index:10001;background:url(chrome-extension://eopjamdnofihpioajgfdikhhbobonhbb/ab20.png);}#yddContainer{background:#fff;border-color:#4b7598}#yddTopBorderlr{border-color:#f0f8fc}#yddWrapper .ydd-sp{background-image:url(chrome-extension://eopjamdnofihpioajgfdikhhbobonhbb/ydd-sprite.png)}#yddWrapper a,#yddWrapper a:hover,#yddWrapper a:visited{color:#50799b}#yddWrapper .ydd-tabs{color:#959595}.ydd-tabs,.ydd-tab{background:#fff;border-color:#d5e7f3}#yddBottom{color:#363636}#yddWrapper{min-width:250px;max-width:400px;}</style><style id="style-1-cropbar-clipper">/* Copyright 2014 Evernote Corporation. All rights reserved. */
.en-markup-crop-options {
    top: 18px !important;
    left: 50% !important;
    margin-left: -100px !important;
    width: 200px !important;
    border: 2px rgba(255,255,255,.38) solid !important;
    border-radius: 4px !important;
}

.en-markup-crop-options div div:first-of-type {
    margin-left: 0px !important;
}
</style></head>	

<body class="chrome chrome37" style="position: static;">

<a class="access-link" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Main"><img alt="Click here to Skip to main content" src="./TCP Session Reconstruction Tool - CodeProject_files/t.gif"></a>





<div class="page-background">

	
	

	

	<table id="ctl00_Bn" style="width:100%;height:135px" cellpadding="0" cellspacing="0" class="banner fixed">
	<tbody><tr valign="bottom">
		<td class="blank-background" style="height:31px">&nbsp;</td>
		<td class="blank-background" rowspan="3" style="width:250px;height:135px"><a href="http://www.codeproject.com/"><img id="ctl00_Logo" tabindex="1" title="CodeProject" src="./TCP Session Reconstruction Tool - CodeProject_files/logo250x135.gif" alt="Home" style="height:135px;width:250px;border-width:0px;"></a></td>
		<td class="blank-background align-right" style="width:728px;height:31px">

<div class="container memberbar clearfix">

	<div id="ctl00_MemberMenu_GenInfo" class="float-left">11,212,675 members (64,444 online)</div>

	<div class="float-left">
		
	</div>

	<div class="float-right">

		

		

		

			<script type="text/javascript">//<!--
			function doSubmit(secure)
			{
				if (secure)
					document.subForm.action = "https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool"
				else
					document.subForm.action = "https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool"
				document.subForm.submit();
				return true;
			}//-->
			</script>

			<a name="SignUp"></a>
			<span class="member-signin tooltip">
				<span><a href="https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign in</a></span>

				<div class="tooltip-flyout">
					<form name="subForm" id="subForm" action="https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool" method="post" class="tight">

						
						<input id="FormName" name="FormName" value="MenuBarForm" type="hidden">

						<div>Email</div>
						<div><input class="small-text" type="email" name="Email" id="Email"></div>
						<div>Password</div>
						<div><input class="small-text" type="password" name="Password" id="Password"></div>
						<div class="action">
							
<script type="text/javascript">
function Join(){
 var url = 'http://www.codeproject.com/script/Membership/Modify.aspx?meml=' + document.subForm.Email.value;
 document.location.href=url;return false;
}
document.write('<input type="button" class="create" onclick="return Join();" value="Join"');
document.write('<input type="hidden" name="fld_quicksign" value="true" />');
</script><input type="button" class="create" onclick="return Join();" value="Join" <input="" name="fld_quicksign">
							<input type="submit" value="Sign in" class="signin" onclick="return doSubmit(false);">
						</div>

						<div class="container">
							
							&nbsp;
							<a id="ctl00_MemberMenu_SendPassword" class="forgot float-right" href="http://www.codeproject.com/script/Membership/SendPassword.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Forgot your password?</a>
						</div>
					</form>

					<hr class="divider-dark">

					Sign in using <a class="oauth" title="Sign in using Facebook" href="http://www.codeproject.com/script/Membership/OAuthLogOn.aspx?auth=Facebook"><img src="./TCP Session Reconstruction Tool - CodeProject_files/facebook.png" style="vertical-align:middle;padding-right:3px;border:0;"></a>
<a class="oauth" title="Sign in using Google" href="http://www.codeproject.com/script/Membership/OAuthLogOn.aspx?auth=Google"><img src="./TCP Session Reconstruction Tool - CodeProject_files/google-plus.png" style="vertical-align:middle;padding-right:3px;border:0;"></a>
<a class="oauth" title="Sign in using Linkedin" href="http://www.codeproject.com/script/Membership/OAuthLogOn.aspx?auth=LinkedIn"><img src="./TCP Session Reconstruction Tool - CodeProject_files/linkedin.png" style="vertical-align:middle;padding-right:3px;border:0;"></a>
<a class="oauth" title="Sign in using Microsoft" href="http://www.codeproject.com/script/Membership/OAuthLogOn.aspx?auth=Microsoft"><img src="./TCP Session Reconstruction Tool - CodeProject_files/microsoft.png" style="vertical-align:middle;padding-right:3px;border:0;"></a>

				</div>
            </span>
		
	</div>
</div></td>
		<td class="blank-background" style="height:31px">&nbsp;</td>
	</tr>
	<tr valign="middle">
		<td class="theme1-background" style="height:94px">&nbsp;</td>
		<td class="theme1-background ad"><div class="msg-728x90" data-format="728x90" data-type="ad" data-publisher="lqm.codeproject.site" data-zone="General-Programming/Internet-Network/Utilities" data-tags="VC8.0, .NET2.0, VS2005, C#2.0, C++/CLI, Windows, Dev, Intermediate,rating4.5"><noscript>&lt;a href="http://ad.doubleclick.net/N6839/jump/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=728x90;ord=635590748409036705?"&gt;&lt;img src="http://ad.doubleclick.net/N6839/ad/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=728x90;ord=635590748409036705?"  width="728px" height="90px" /&gt;&lt;/a&gt;</noscript></div></td>
		<td class="theme1-background" style="height:94px">&nbsp;</td>
	</tr>
	<tr valign="top">
		<td style="height: 14px;"></td>
		<td style="height: 14px;" class="blank-background"></td>
		<td style="height: 14px;"></td>
	</tr>
</tbody></table>


	<a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Main"><img alt="Click here to Skip to main content" class="access-link" src="./TCP Session Reconstruction Tool - CodeProject_files/t.gif"></a>

	
	<div id="ctl00_TPR" class="sub-headerbar fixed">
	<table cellpadding="0" cellspacing="0" class="extended"><tbody><tr><td nowrap="nowrap">
		

<div class="navbar clearfix">
<ul class="navmenu openable">

<li><a id="ctl00_TopNavBar_Home" href="http://www.codeproject.com/">home</a>


</li><li class=""><a id="ctl00_TopNavBar_Art" class="down selected" href="http://www.codeproject.com/script/Articles/Latest.aspx">articles</a>

	<ul>
		<li class=""><a id="ctl00_TopNavBar_ArtTopicList" class="fly" onmouseover="navBarMenu.ShowMap(this, &#39;ctl00_TopNavBar_MapFlyout&#39;);" href="http://www.codeproject.com/script/Content/SiteMap.aspx">Chapters and Sections<span class="has-submenu">&gt;</span></a><ul id="ctl00_TopNavBar_MapFlyout">
			<li>
				<div id="siteMap">
					<img src="./TCP Session Reconstruction Tool - CodeProject_files/animated.gif" alt="loading" style="margin:150px;width:100px;height:100px;">
				</div>
			</li>
			</ul>
		</li>
		<li><a id="ctl00_TopNavBar_ArtSearch" class="fly break" href="http://www.codeproject.com/search.aspx?sbo=kw">Search</a></li>
		<li><a id="ctl00_TopNavBar_ArtLatestArts" class="fly" href="http://www.codeproject.com/script/Articles/Latest.aspx?at=1,3,7">Latest Articles</a></li>
		<li><a id="ctl00_TopNavBar_ArtLatestTips" class="fly" href="http://www.codeproject.com/script/Articles/Latest.aspx?at=6">Latest Tips/Tricks</a></li>
		<li><a id="ctl00_TopNavBar_ArtTop" class="fly" href="http://www.codeproject.com/script/Articles/TopArticles.aspx?ta_so=5">Top Articles</a></li>
		<li><a id="ctl00_TopNavBar_ArtBeginner" class="fly" href="http://www.codeproject.com/search.aspx?sbo=kw?aidlst=152&sa_us=True">Beginner Articles</a></li>
		<li><a id="ctl00_TopNavBar_ArtBlogArticles" class="fly break" href="http://www.codeproject.com/script/Articles/BlogArticleList.aspx">Technical Blogs</a></li>
		<li><a id="ctl00_TopNavBar_ArtGuide" class="fly" href="http://www.codeproject.com/info/Submit.aspx">Posting/Update Guidelines</a></li>
		<li><a id="ctl00_TopNavBar_ArtHelpForum" class="fly" href="http://www.codeproject.com/Forums/1641/Article-Writing.aspx">Article Help Forum</a></li>
		<li><a id="ctl00_TopNavBar_ArtCompetition" class="fly break" href="http://www.codeproject.com/script/Awards/CurrentCompetitions.aspx?cmpTpId=1">Article Competition</a></li>
		<li><a id="ctl00_TopNavBar_ArtPostArticle" class="fly highlight1" href="http://www.codeproject.com/script/Articles/Submit.aspx">
			<img src="./TCP Session Reconstruction Tool - CodeProject_files/write13.png" width="13px" height="13px"> Submit an article or tip
			</a></li>
		<li><a id="ctl00_TopNavBar_ArtPostBlog" class="fly highlight2" href="http://www.codeproject.com/script/Articles/BlogFeed.aspx">
			<img src="./TCP Session Reconstruction Tool - CodeProject_files/write13.png" width="13px" height="13px"> Post your Blog
			</a></li>		<li class="last"></li>
	</ul>

</li>



<li class=""><a id="ctl00_TopNavBar_Answers" href="http://www.codeproject.com/script/Answers/List.aspx?tab=active">quick answers</a>
	<ul>
		<li id="ctl00_TopNavBar_AQL"><a id="ctl00_TopNavBar_ArticleQuestion" class="fly highlight1" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#_comments">
			<img src="./TCP Session Reconstruction Tool - CodeProject_files/write13.png" width="13px" height="13px"> Ask a Question about this 
			article</a>
		</li>

		<li><a id="ctl00_TopNavBar_QAAsk" class="fly highlight2" href="http://www.codeproject.com/Questions/ask.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/write13.png" width="13px" height="13px"> Ask a Question</a></li>

		
		<li><a id="ctl00_TopNavBar_QAUnanswered" class="fly" href="http://www.codeproject.com/script/Answers/List.aspx?tab=unanswered">View Unanswered Questions</a></li>
		<li><a id="ctl00_TopNavBar_QALatest" class="fly" href="http://www.codeproject.com/script/Answers/List.aspx?tab=active">View All Questions...</a></li>
		
				<li><a id="ctl00_TopNavBar_QATR_ctl00_Tag" class="fly" href="http://www.codeproject.com/script/Answers/List.aspx?tab=active&alltags=true&tags=81" style="padding-left:30px">C# questions</a></li>
			
				<li><a id="ctl00_TopNavBar_QATR_ctl01_Tag" class="fly" href="http://www.codeproject.com/script/Answers/List.aspx?tab=active&alltags=true&tags=85" style="padding-left:30px">ASP.NET questions</a></li>
			
				<li><a id="ctl00_TopNavBar_QATR_ctl02_Tag" class="fly" href="http://www.codeproject.com/script/Answers/List.aspx?tab=active&alltags=true&tags=842" style="padding-left:30px">VB.NET questions</a></li>
			
				<li><a id="ctl00_TopNavBar_QATR_ctl03_Tag" class="fly" href="http://www.codeproject.com/script/Answers/List.aspx?tab=active&alltags=true&tags=93" style="padding-left:30px">SQL questions</a></li>
			
				<li><a id="ctl00_TopNavBar_QATR_ctl04_Tag" class="fly" href="http://www.codeproject.com/script/Answers/List.aspx?tab=active&alltags=true&tags=377" style="padding-left:30px">C#3.5 questions</a></li>
			
		<li class="last"></li>
	</ul>

</li>



<li class=""><a id="ctl00_TopNavBar_Forums" href="http://www.codeproject.com/script/Forums/List.aspx">discussions</a>

	<ul>
		<li><a id="ctl00_TopNavBar_MessageBoardsAll" class="fly" href="http://www.codeproject.com/script/Forums/List.aspx">All Message Boards...</a></li>
		<li class=""><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1580997/Application-Lifecycle.aspx">Application Lifecycle<span class="has-submenu">&gt;</span></a>
<ul class="openable"><li><a class="fly" href="http://www.codeproject.com/Forums/1533717/Running-a-Business.aspx">Running a Business</a></li>
<li><a class="fly" href="http://www.codeproject.com/Forums/1533716/Sales-Marketing.aspx">Sales / Marketing</a></li>
<li><a class="fly" href="http://www.codeproject.com/Forums/1651/Collaboration-Beta-Testing.aspx">Collaboration / Beta Testing</a></li>
<li><a class="fly" href="http://www.codeproject.com/Forums/3304/Work-Training-Issues.aspx">Work &amp; Training Issues</a></li>
</ul></li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/369270/Design-and-Architecture.aspx">Design and Architecture</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/12076/ASP-NET.aspx">ASP.NET</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1580226/JavaScript.aspx">JavaScript</a>
</li>
<li class=""><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1647/C-Cplusplus-MFC.aspx">C / C++ / MFC<span class="has-submenu">&gt;</span></a>
<ul class="openable"><li><a class="fly" href="http://www.codeproject.com/Forums/4486/ATL-WTL-STL.aspx">ATL /  WTL / STL</a></li>
<li><a class="fly" href="http://www.codeproject.com/Forums/3785/Managed-Cplusplus-CLI.aspx">Managed C++/CLI</a></li>
</ul></li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1827459/Adobe-Technologies.aspx">Adobe Technologies</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1649/Csharp.aspx">C#</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1627782/Free-Tools.aspx">Free Tools</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1827460/Objective-C.aspx">Objective-C</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1832431/Ruby-On-Rails.aspx">Ruby On Rails</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1725/Database.aspx">Database</a>
</li>
<li class=""><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/186301/Hardware-Devices.aspx">Hardware &amp; Devices<span class="has-submenu">&gt;</span></a>
<ul class="openable"><li><a class="fly" href="http://www.codeproject.com/Forums/1644/System-Admin.aspx">System Admin</a></li>
</ul></li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1606152/Hosting-and-Servers.aspx">Hosting and Servers</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1643/Java.aspx">Java</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1650/NET-Framework.aspx">.NET Framework</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1848626/Android.aspx">Android</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1876716/iOS.aspx">iOS</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/13695/Mobile.aspx">Mobile</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1540733/Sharepoint.aspx">Sharepoint</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1004257/Silverlight-WPF.aspx">Silverlight / WPF</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1646/Visual-Basic.aspx">Visual Basic</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/Forums/1640/Web-Development.aspx">Web Development</a>
</li>
<li><a class="fly" style="padding-left:30px" href="http://www.codeproject.com/suggestions.aspx">Site Bugs / Suggestions</a>
</li>

		<li class="last"></li>
	</ul>

</li>

<li class=""><a id="ctl00_TopNavBar_Features" href="http://www.codeproject.com/Feature/">features</a>

	<ul>
		<li><a id="ctl00_TopNavBar_Comps" class="fly" href="http://www.codeproject.com/script/Awards/CurrentCompetitions.aspx?cmpTpId=1&awsac=true">Competitions</a></li>
		<li><a id="ctl00_TopNavBar_News" class="fly" href="http://www.codeproject.com/script/News/List.aspx">News</a></li>
		<li><a id="ctl00_TopNavBar_Insider" class="fly" href="http://www.codeproject.com/Feature/Insider/">The Insider Newsletter</a></li>
    	<li><a id="ctl00_TopNavBar_DailyBuild" class="fly" href="http://www.codeproject.com/Feature/DailyBuild">The Daily Build Newsletter</a></li>
		<li><a id="ctl00_TopNavBar_Newsletters" class="fly" href="http://www.codeproject.com/script/Mailouts/Archive.aspx?mtpid=1">Newsletter archive</a></li>
		<li><a id="ctl00_TopNavBar_Surveys" class="fly" href="http://www.codeproject.com/script/Surveys/List.aspx">Surveys</a></li>
		<li><a id="ctl00_TopNavBar_Showcase" class="fly" href="http://www.codeproject.com/KB/showcase/">Product Showcase</a></li>
		<li><a id="ctl00_TopNavBar_Research" class="fly" href="http://www.codeproject.com/script/ResearchLibrary/Index.aspx">Research Library</a></li>

		<li><a id="ctl00_TopNavBar_Stuff" class="fly" href="http://www.codeproject.com/Info/Stuff.aspx">CodeProject Stuff</a></li>
		<li class="last"></li>
	</ul>

</li>


<li class=""><a id="ctl00_TopNavBar_Lounge" href="http://www.codeproject.com/Lounge.aspx">community</a>

	<ul>
		<li><a id="ctl00_TopNavBar_WhosWho" class="fly" href="http://www.codeproject.com/script/Membership/Profiles.aspx">Who's Who</a></li>
		<li><a id="ctl00_TopNavBar_MVPs" class="fly break" href="http://www.codeproject.com/script/Awards/MVPWinners.aspx">Most Valuable Professionals</a></li>
		

		<li><a id="ctl00_TopNavBar_LoungeLnk" class="fly highlight2" href="http://www.codeproject.com/Lounge.aspx">The Lounge &nbsp;</a></li>
		<li><a id="ctl00_TopNavBar_InsiderLnk" class="fly" href="http://www.codeproject.com/Insider.aspx">The Insider News</a></li>
		<li><a id="ctl00_TopNavBar_WeirdWonderful" class="fly" href="http://www.codeproject.com/Feature/WeirdAndWonderful.aspx">The Weird &amp; The Wonderful</a></li>
		<li><a id="ctl00_TopNavBar_SoapBoxLnk" class="fly" href="http://www.codeproject.com/Forums/1536756/The-Soapbox.aspx">The Soapbox</a></li>
		<li><a id="ctl00_TopNavBar_PRLnk" class="fly break" href="http://www.codeproject.com/Forums/1738007/Press-Releases.aspx">Press Releases</a></li>

		
		<li class=""><a class="fly" href="http://www.codeproject.com/Forums/1580229/Hindi.aspx">Non-English Language
			<span class="has-submenu">&gt;</span></a>
		<ul>
		<li><a class="fly" href="http://www.codeproject.com/Forums/1580229/Hindi.aspx">General Indian Topics</a></li>
		<li><a class="fly" href="http://www.codeproject.com/Forums/1580230/Chinese.aspx">General Chinese Topics</a></li>
		</ul>
		</li><li class="last"></li>
		
	</ul>

</li>


<li class="" style="margin-left:20px"><a id="ctl00_TopNavBar_Help" href="http://www.codeproject.com/KB/FAQs/">help</a>

	<ul>
		<li><a id="ctl00_TopNavBar_HelpWhatIs" class="fly" href="http://www.codeproject.com/info/guide.aspx">What is 'CodeProject'?</a></li>
		<li><a id="ctl00_TopNavBar_HelpGeneral" class="fly break" href="http://www.codeproject.com/KB/FAQs/">General FAQ</a></li>
		<li><a id="ctl00_TopNavBar_HelpPostQuestion" class="fly break highlight2" href="http://www.codeproject.com/Questions/ask.aspx">Ask a Question</a></li>
		<li><a id="ctl00_TopNavBar_HelpBugs" class="fly" href="http://www.codeproject.com/suggestions.aspx">Bugs and Suggestions</a></li>
		<li><a id="ctl00_TopNavBar_HelpArticles" class="fly" href="http://www.codeproject.com/Forums/1641/Article-Writing.aspx">Article Help Forum</a></li>
		<li><a id="ctl00_TopNavBar_HelpSiteMap" class="fly" href="http://www.codeproject.com/script/Content/SiteMap.aspx">Site Map</a></li>
		<li><a id="ctl00_TopNavBar_HelpAdvertise" class="fly" href="http://developermedia.com/">Advertise with us</a></li>
		<li><a id="ctl00_TopNavBar_HelpJobs" class="fly" href="http://www.codeproject.com/info/Jobs/">Employment Opportunities</a></li>
		<li><a id="ctl00_TopNavBar_HelpAboutUs" class="fly" href="http://www.codeproject.com/info/about.aspx">About Us</a></li>
		<li class="last"></li>
	</ul>

</li>

</ul>

</div>
	</td><td align="right">
		


	</td></tr></tbody></table>
	<div class="sub-headerbar-divider"></div>
	</div>
	

	<div id="A" class="container-content-wrap fixed"> 

	<div itemscope="" itemtype="http://schema.org/Article" class="container-content"> 

		<div class="clearfix">
			<div class="float-left container-breadcrumb">
				<div><a href="http://www.codeproject.com/script/Content/SiteMap.aspx">Articles</a> » <a href="http://www.codeproject.com/Chapters/6/General-Programming.aspx">General Programming</a> » <a href="http://www.codeproject.com/KB/IP/"><span itemprop="articleSection">Internet / Network</span></a> » <a href="http://www.codeproject.com/KB/IP/#Utilities">Utilities</a></div>
			</div>

			<div class="align-left float-right padded-top" style="width">
				


 
&nbsp;










			</div>

			<div class="float-right article-nav">
				
				

<a id="ctl00_ActionLinks_BookmarkMd_ImgBt" title="Bookmark" alternatetext="Bookmark" name="bm_20501_2" onclick="return bookmarkMe(20501,2,&#39;/script/Bookmarks/Ajax/Add.aspx?obid=20501&amp;obtid=2&amp;action=AddBookmark&amp;bio=true&amp;bis=medium&#39;,&#39;medium&#39;);" href="http://www.codeproject.com/script/Bookmarks/Add.aspx?obid=20501&obtid=2&action=AddBookmark&bio=true&bis=medium" style="display:inline-block;height:24px;width:24px;"><img title="Bookmark" src="./TCP Session Reconstruction Tool - CodeProject_files/bookmark24.png" alt="" style="border-width:0px;"></a>


<span id="ctl00_ActionLinks_BookmarkMd_StatusMsg" class="tiny-text" style="display:none" name="bm_20501_2"></span>
<a id="ctl00_ActionLinks_PrintMd" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?display=Print">
	<img src="./TCP Session Reconstruction Tool - CodeProject_files/print24.png" title="Print" width="24px" height="24px" style="border:0">
</a>
			</div>

			<div class="align-right float-left">
				
			</div>
		</div>

		<table class="extended container-article-parts" cellpadding="0" cellspacing="0">
        <tbody><tr valign="top">
		<td width="117px">

			<div id="ctl00_Nav" class="container-article-tabs" style="position: static; top: 238px; left: 155.5px;">
				<div class="tabs">
					

<div class="">
	<div class="selected">Article</div><div class="unselected"><a href="http://www.codeproject.com/script/Articles/ViewDownloads.aspx?aid=20501">Browse Code</a></div><div class="unselected"><a href="http://www.codeproject.com/script/Articles/Statistics.aspx?aid=20501">Stats</a></div><div class="unselected"><a href="http://www.codeproject.com/script/Articles/ListVersions.aspx?aid=20501">Revisions</a></div><div class="unselected"><a href="http://www.codeproject.com/script/Articles/ListAlternatives.aspx?aid=20501">Alternatives</a></div>

	<div class="unselected"><a href="http://www.codeproject.com/Articles/20501/WebControls/#_comments" id="ctl00_ArticleTabs_CommentLink" class="anchorLink">Comments 
        <span id="ctl00_ArticleTabs_CmtCnt">(34)</span></a>
	</div>
</div>	

				</div>

				

			    <div class="tags"> 
                    <h4>Tagged as</h4>
			        <span id="ctl00_TagsList_TagWrp" class="tags">
	
	
	
	<span id="ctl00_TagsList_VisibleTags"><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/VC8.0">VC8.0</a></div><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/.NET2.0">.NET2.0</a></div><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/VS2005">VS2005</a></div><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/C--hash--2.0">C#2.0</a></div><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/C--plus----plus----slash--CLI">C++/CLI</a></div><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/Windows">Windows</a></div><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/Dev">Dev</a></div><div class="t"><a rel="tag" href="http://www.codeproject.com/Tags/Intermediate">Intermediate</a></div></span> 

	
	
</span>

			    </div>

				<div class="padded-top related">
					
				</div>

                <div class="anchorLink gototop" id="gototop">
                    <a id="ctl00_GoToTop" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#_articleTop">Go to top</a>
                </div>
			</div>

		</td>
		<td>
			
			<div id="AT" class="container-article  fixed"> 
				<div class="article">

					<form name="aspnetForm" method="post" action="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool" id="aspnetForm" style="margin:0;padding:0">
<div>
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="ynFgdIF4WpNrUwrElj7IQM/k+5K9n5bL1OyuqofBTCcwCSPAUBe8LRrYPtOVeOOLifyv1U0qkCv2Wa+OXA5WX1k2sbCohn6qMxmt+sbU2Sy2LucKiIa9bodIgA2/h3c9PKZ2z88tFvQ9/Lz5KGbeVcV7/OTT3272kqg6CSGDILVGITLb9IIl8DHDJH0SFRMs87Yj+mc0Qf2IgqaXhsFNSNqc2EaKT5+eeUbCZSG9FEa1Cc77bAbhQYcPPCsf/vfXg7ZKRh5uu7LgdCTT1u2KRAl5pkzapD7ZmeCt0WRUxZY9QHyzUcMu3VpfTciivfqnG50tfB300StfV4KWgYLerKxQlxAmC6vP5ov2NB6CAHFG3yFSvrsev3HytivjeERuF8kP9AjUi3wnuc9hHZVzT9tdRgINWFcxfvBVObOkx/oDi7xQwHBh7i6oiiHQF6XC/2o0MoUjertlwobz4zw/6sFrO1vM9hcNAjUFUsfn9E/dk/RPVht95g05i6f9jyw1TXThDSIR4Fl61gvoOL/V2U35dPwmJ0qRtc+wI+31j43IyFkxluVlEVTTsWqwcsZVqyL5iLK4dvO1Yc1ITZLKS+xLfQwJqTkXSfAZteIfJHOpwdPtO1NK6VfAGq6n0qHN3jW6kGzI5lRvJe7pF5+qdE9lNpyXwZD8+3W260seYR3Tqbwd6PGmy2GQsEqZGVxXQfMCD53RX4vKvs1RLJbWh/VYFPt3ULHrShJW9t1Q2R3HdZHnCKBiwMPLtBpfPcjozwtj+HWNaMndOxyH6n9IlCz7Xj06YxMGjmcMJ/Wez8L+IuTaEYKFRCqnGgBBT257iANi1u0mQZre8xOCDuP3ni8tsoQgESStlME6hhtdRt1ObTcJYVqA5ZMfDzQUuJEbyYsRHym5iTqRXRfh4zW4C1DKoc3Pxxnj+Z+rYe7IN3XywRuSxkAilY461fQ7vizXpbGO+qjQ6B1uMA/8Ip6W67+0d1fa0yCZnSvBh8VpN95hkek2odBfor1hhjnXj37epCbRkXxBxJ0hSJ8Pd6NhF9pbt1WiafnsNIaKtJ5HczY12E0M4L45dfhwXFnd39maNzF5vQVS6MHhY/EkIUozyFcy4IIHZ/82IobBr6qBNonftqo/PaWXLEElWEHlbmpxT6AS22CMpGBypZY8/tvX6d2/8vF4ngMfq64c6fnc52e2Jv1/+5AoRv8KnN0tzeFap+uI0AmRv4/Pc5dBfODwo1jH/vfOVzLXr2n/xuTppJzHyNrsM4ZdHyQdltxL9i1sVIGotLsu5YtXd7K/yq0sBr0kkz8+pepZmTF9q9Wc17T+HObwB/NsbAw+DL67D9ZPh2WXKgdtoDRu3Uv+6pNU+A5/AwNLax0lo3eWn6j7m7rDIfJ3dGT4mvqN73VDN6QwNw1m6Cx+AIVZbk4J0Y+k/ECB00JAlB7gbF5kFtO0YhjITVOGbQ5BXJ17AJktrPS25Z4dySDTFi8bjONveCw+kgW/Ne64NES281R8EeeOlaqc3T9Ay5G/jvmtsNigGGBW/8YqJ8mX+ymbdtWEOnz1FnsP/fbj9Wgam3S9GpX18c5pgk76uy2/GyCSN8QsLLMu46rFHmXe+dFi6dhh/zWvg7r1xa6eOw61pcjMAxTREr5GiP7ASVPBTqrEuBppFQ/MSr8k3WhFGNOvs2ydcOgzn3mk795QVW0Z7RG1cf9E4n4QNPAV3cykJ63DZUDZwyvy/PTvpjez3aU6AZN7SH+NewjRDtna16lodmdgpxEHz93CzdnaTOX0IdKO21E9TlTc2pqW56NRCv6tqZctBif3VxPNf9sNes1ihuQvjPt/UFeVRgZ0zcxQpz5IBpTpDR/3jjRRENbnJXBw4k4WpY0jyXRUW1wsbqTAmKgHQtYBwyrcdOjxONl7UF9sWjpvzTlF1F3e/RhJ0h7jf2gUMG+x/IC5Fdm5iAptRw+ezIA4kVN5TnhhoeCqlemTuklf+gKaGyACaMpNnTm8UWXW8Eu9SVB8FtkKOxi2jRoV+5Yk7JOJtMDU2ML2AtFKox4BNsIY3FAUKC066Vz+6Gr4XiA4V56FesA=">
</div>

<div>

	<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="10C1FD69">
</div>

					
					 
					<div class="header">
					    <a name="Main"></a>

					    
					    <a name="_articleTop" id="_articleTop"></a>
					    <div class="title">
					        
					        <h1 id="ctl00_ArticleTitle" itemprop="name">TCP Session Reconstruction Tool</h1> 
					    </div>

                        <div style="height:34px">
					        
					        <div class="entry float-left">
                                
                                <div class="float-left">

						            <span class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602" rel="author"><span itemprop="author" itemscope="" itemtype="http://schema.org/Person"><span itemprop="name">Saar Yahalom</span></span></a></span>, 
						            <span class="date" itemprop="dateModified" content="2007-09-22 05:50:00">
							            22 Sep 2007</span>
			
                                    <a id="ctl00_LicenseLink" title="The Code Project Open License (CPOL)" class="license" href="http://www.codeproject.com/info/cpol10.aspx">CPOL</a><div id="ctl00_CurRat" class="tooltip anchorLink" style="cursor:pointer;margin-top: 5px" name="CurRat_20501">
				
							            

<table cellpadding="0" cellspacing="0" class="small-text" itemprop="aggregateRating" itemscope="" itemtype="http://schema.org/AggregateRating"> 
<tbody><tr>
	
	<td class="nowrap">

		
			<meta itemprop="bestRating" content="5"> 
			<meta itemprop="worstRating" content="1">
		

		<span id="ctl00_ArticleRating_VI">
		<div class="nowrap rating-stars-large" style="height:21px;width:119px;position:relative;">
	<div class="clipped align-left float-left" style="height:19px;width:112px;">
		<img src="./TCP Session Reconstruction Tool - CodeProject_files/stars-fill-lg.png" style="border-width:0px;">
	</div><div class="clipped" style="height:19px;width:7px;position:relative;">
		<img src="./TCP Session Reconstruction Tool - CodeProject_files/stars-empty-lg.png" style="border-width:0px;position:absolute;top:0;right:0;">
	</div>
</div>
		</span>

		
	</td>
	
	<td id="ctl00_ArticleRating_VR" class="nowrap">
		&nbsp;
		<span id="ctl00_ArticleRating_VotesR">&nbsp;<span itemprop="ratingValue" class="rating">4.65</span> (<span itemprop="ratingCount" class="count">17</span> votes)</span>
		
	</td>

</tr>

</tbody></table>


							            <div id="ctl00_RB" class="speech-bubble-container-up">
								            <div class="speech-bubble-up" style="width:150px !important">
									                        
<div>
<table class="feature" width="100%" height="50px" title="Voting Distribution. Recent data only" cellpadding="0" cellspacing="0"><tbody><tr class="chart-row"><td class="chart-column"><span title="0 votes">1</span></td>
<td class="chart-column"><span title="0 votes">2</span></td>
<td class="chart-column"><span title="0 votes">3</span></td>
<td class="chart-column"><div><img src="./TCP Session Reconstruction Tool - CodeProject_files/pollcol.gif" width="20pxpx" height="20px" border="0px" alt="5 votes, 29.4%" title="5 votes, 29.4%"></div><span title="5 votes">4</span></td>
<td class="chart-column"><div><img src="./TCP Session Reconstruction Tool - CodeProject_files/pollcol.gif" width="20pxpx" height="50px" border="0px" alt="12 votes, 70.6%" title="12 votes, 70.6%"></div><span title="12 votes">5</span></td>
</tr></tbody></table><div class="small-text align-center">4.65/5 - 17 votes</div><div class="small-text align-center subdue">μ 4.65, σ<sub>a</sub> 0.84 [<a href="http://www.codeproject.com/KB/FAQs/RatingReputationFAQ.aspx#noisefilter">?</a>]</div>
</div>
								            </div>
								            <div class="speech-bubble-pointer-up">
									            <div class="speech-bubble-pointer-up-inner"></div>
								            </div>
							            </div>
						            </div>
                                </div>
					        </div>

                            
						    <div id="ctl00_RateArticleRow" class="float-right align-right voting-bar">
						        <div id="ctl00_RateArticle_RateItemWrapper" class="small-text" name="RateItem_20501">

	<table width="100%" cellpadding="0" cellspacing="0" class="small-text">
	<tbody><tr>
		<td id="ctl00_RateArticle_VoteResultDiv" class="rating-result align-right">
			<span class="align-right"></span>
			<img class="loaderImg" width="16px" alt="loading..." height="16px" src="./TCP Session Reconstruction Tool - CodeProject_files/animated_loading_blue.gif" style="display:none;"> 
		</td>

	
		<td class="voteTbl" style="white-space:nowrap" align="right">
			<table class="small-text">
			<tbody><tr>
				<td id="ctl00_RateArticle_RateText" class="rating-prompt">
					Rate this:
				</td>

				
				<td id="ctl00_RateArticle_VoteFormDiv" class="nowrap rating-stars-voter-large">
					

					<span id="ctl00_RateArticle_RB" class="tooltip ajaxHist radio voting">
						<span id="ctl00_RateArticle_VoteRBL"><input id="ctl00_RateArticle_VoteRBL_0" type="radio" name="ctl00$RateArticle$VoteRBL" value="1" style="display: none;"><input id="ctl00_RateArticle_VoteRBL_1" type="radio" name="ctl00$RateArticle$VoteRBL" value="2" style="display: none;"><input id="ctl00_RateArticle_VoteRBL_2" type="radio" name="ctl00$RateArticle$VoteRBL" value="3" style="display: none;"><input id="ctl00_RateArticle_VoteRBL_3" type="radio" name="ctl00$RateArticle$VoteRBL" value="4" style="display: none;"><input id="ctl00_RateArticle_VoteRBL_4" type="radio" name="ctl00$RateArticle$VoteRBL" value="5" style="display: none;"></span> 

						
					<div class="rating-star-block"><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" rating="1" class="star outline" title="vote 1">vote 1</a><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" rating="2" class="star outline" title="vote 2">vote 2</a><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" rating="3" class="star outline" title="vote 3">vote 3</a><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" rating="4" class="star outline" title="vote 4">vote 4</a><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" rating="5" class="star outline" title="vote 5">vote 5</a></div></span>

				</td>

				
				<td style="padding-left:5px">	
					<input type="submit" name="ctl00$RateArticle$SubmitRateBtn" value="Vote!" id="ctl00_RateArticle_SubmitRateBtn" class="button" style="display: none;">
				</td>
			</tr>
			</tbody></table>
			
		</td>
	</tr>
	</tbody></table>
	<div class="hover-container">
		
        <div id="ctl00_RateArticle_RSU" class="rating-comment align-left float-right">
            <div class="padded">
            Please <a id="ctl00_RateArticle_SignUp" href="https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign up or sign in</a> to vote.
            </div>
        </div>
	</div>
</div>
						    </div>
						    	

						    	
                            <div class="float-right" style="margin: 4px 20px 0 0">
						        
                            </div>                    
						    	
                        </div>

   					    
                        <div id="ctl00_description" class="summary">A TCP session reconstruction tool for C#.</div>			

                    </div>
                    
					
					

					

					
					
					

						
					

					

						
						<div id="contentdiv" class="text" itemprop="articleBody">
						



<div class="row"><ul class="download float-left">
<li><a href="http://www.codeproject.com/KB/IP/TcpRecon/TcpReconBin.zip">Download executables - 90.4 KB</a></li>

<li><a href="http://www.codeproject.com/KB/IP/TcpRecon/TcpRecon.zip">Download source - 269 KB</a></li>

<li><a href="http://www.winpcap.org/">WinPcap installation, needed to run TcpRecon</a></li>

<li><a href="http://www.codeproject.com/KB/IP/TcpRecon/Libnids-119_With_managedLibnids.zip">Libnids 1.19 with the wrapper library managedLibnis - 520 KB</a></li>

<li><a href="http://www.codeproject.com/KB/IP/TcpRecon/Winpcap41.zip">WinPcap source, needed to compile the libnids library - 677 KB</a></li>
</ul><div class="float-left" style="margin-top:25px;margin-left:30px"><div data-format="1x11" data-type="ad" data-publisher="lqm.codeproject.site" data-zone="downloadlink" data-tags="vc8.0%2c.net2.0%2cvs2005%2cc%232.0%2cc%2b%2b%2fcli%2cwindows%2cdev%2cintermediate"></div></div></div>

<h2><a name="Introduction0">Introduction</a></h2>

<p>This is a C# utility for reconstructing sniffer captured TCP sessions (even incomplete). This is based on libnids and a translated part of WireShark. Not being able to find such a solution, I had to build one myself.</p>

<p>I was looking for some tools which could reconstruct a TCP session from a Pcap file. The tools I have found were mostly for Linux, or robust GUI tools like WireShark. So, I decided to build my own tool. It is time that the C# community will have a TCP session reconstruction tool.</p>

<h2>Contents</h2>

<ul>
<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Introduction0">Introduction</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Background1">Background</a></li>

<ul>
<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#WhatisaSniffer2">What is a Sniffer?</a></li>

<li><a href="./TCP Session Reconstruction Tool - CodeProject_files/TCP Session Reconstruction Tool - CodeProject.htm">TCP session reconstruction</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Whatisitgoodfor4">What is it good for?</a></li>
</ul>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Firsttryusinglibnids5">First try using libnids</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Stillnotgoodenough6">Still not good enough</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Secondtry,hackingWireShark7">Second try, hacking WireShark</a></li>

<ul>
<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Capturingthepackets8">Capturing the packets</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Thefinaldesign9">The final design</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Makingitworktogether10">Making it work together</a></li>
</ul>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Howtousethistool11">How to use this tool</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#AdditionalInformation12">Additional information</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#Thanks13">Thanks</a></li>

<li><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#History14">History</a></li>
</ul>

<h2><a name="Background1">Background</a></h2>

<h3><a name="WhatisaSniffer2">What is a Sniffer?</a></h3>

<blockquote>
<p>"A sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. They are available for several platforms in both commercial and open-source variations. Some of the simplest packages are actually quite easy to implement in C or Perl; use a command line interface and dump the captured data to the screen. More complex projects use a GUI, graph traffic statistics, track multiple sessions, and offer several configuration options. Sniffers are also the engines for other programs. Intrusion Detection Systems (IDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. Law enforcement agencies that need to monitor emails during investigations likely employ a sniffer designed to capture very specific traffic."</p>
</blockquote>

<p>Excerpt from - Sniffers: What They Are and How to Protect Yourself</p>

<h3><a name="TCPSessionReconstruction3">TCP session reconstruction</a></h3>

<p>A sniffer lets you capture packets on your network, but the packets come in various shapes and colors, and they are often in disorder. TCP reconstruction is the reordering of the session data back to its original state.</p>

<h3><a name="Whatisitgoodfor4">What is it good for?</a></h3>

<p>In a sentence, it lets you watch the <a href="http://en.wikipedia.org/wiki/OSI_model#Layer_7:_Application_layer" target="_blank">application layer data</a>. Let's say, you have a capture file obtained from a program such as tcpdump or WireShark. Now, you want to observe the actual sessions that you captured, for example, a full HTTP session between a server and a client. You can reconstruct the page requests and the HTTP server responses. Yes, this means you can also actually reconstruct emails and attachments that are sent over your network.</p>

<p>I use it in a security tool I'm working on. You can use this kind of functionality to do good or evil, but it is a powerful functionality that is missing.</p>

<h2><a name="Firsttryusinglibnids5">First try using libnids</a></h2>

<p>libnids is a library designed by Rafal Wojtczuk. It emulates the IP stack of Linux 2.0.x. libnids offers IP defragmentation, TCP stream assembly, and TCP port scan detection. There are some ports of the library to Win32, the most recent one I have found is for version 1.19 (the newest Linux version is 1.22). You will also need the WinPcap library in order to build it. The solution here is to wrap this library with managed C++ code and provide two managed callbacks, one for the server data and one for the client data.</p>

<p>How to work with libnids:</p>

<ul>
<li>The first thing we have to do is to configure the library <code>nids_params</code> struct. I needed to work on a capture file, this is the place to pass the file name. You can set a lot of options here, including a filter which can be very useful if you have a big data file, or you decide to run live on the wire.</li>

<li>Call <code>nids_init()</code>.</li>

<li>Register a local non managed callback for the library.</li>

<li>Setup the two managed callbacks.</li>

<li>Call <code>nids_run()</code>.</li>
</ul>

<div class="pre-action-link" id="premain0" width="100%" style="display:block"><img id="preimg0" src="./TCP Session Reconstruction Tool - CodeProject_files/minus.gif" height="9" width="9" preid="0" style="cursor: pointer;"><span id="precollapse0" preid="0" style="cursor: pointer; margin-bottom: 0px;"> Collapse</span><span> | </span><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" preid="0">Copy Code</a></div><pre lang="cpp" id="pre0" style="margin-top: 0px;"><span class="code-comment">//</span><span class="code-comment"> set the pcap file name in the nids param structure
</span><span class="code-sdkkeyword">IntPtr</span> p = Marshal::StringToHGlobalAnsi(filename);
<span class="code-keyword">char</span> *szFile = (<span class="code-keyword">char</span>*)p.ToPointer();
nids_params.filename = szFile;
.
.
.
<span class="code-comment">//</span><span class="code-comment"> register the managed callbacks
</span>managedLibnids::LibnidsWrapper::m_clientCallback = clientCallback;
managedLibnids::LibnidsWrapper::m_serverCallback = serverCallback;
<span class="code-comment">//</span><span class="code-comment"> init libnids
</span><span class="code-keyword">if</span> (!nids_init ())
{
    <span class="code-keyword">return</span>;
}
<span class="code-comment">//</span><span class="code-comment"> register the local callback
</span>nids_register_tcp (tcp_callback);

<span class="code-comment">//</span><span class="code-comment"> start the capture ...
</span>nids_run ();</pre>

<p>Simple as that. Of course, now you need to marshal data off to the managed callbacks, but besides that, you are basically done.</p>

<p>This is the interesting part of the local callback function:</p>

<div class="pre-action-link" id="premain1" width="100%" style="display:block"><img id="preimg1" src="./TCP Session Reconstruction Tool - CodeProject_files/minus.gif" height="9" width="9" preid="1" style="cursor: pointer;"><span id="precollapse1" preid="1" style="cursor: pointer; margin-bottom: 0px;"> Collapse</span><span> | </span><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" preid="1">Copy Code</a></div><pre id="pre1" style="margin-top: 0px;"><span class="code-keyword">void</span> managedLibnids::tcp_callback (<span class="code-keyword">struct</span> tcp_stream *a_tcp, 
                                   <span class="code-keyword">void</span> ** this_time_not_needed)
{
  <span class="code-keyword">if</span> (a_tcp-&gt;nids_state == NIDS_JUST_EST)
    {
    <span class="code-comment">//</span><span class="code-comment"> connection described by a_tcp is established
</span>    <span class="code-comment">//</span><span class="code-comment"> here we decide, if we wish to follow this stream
</span>    <span class="code-comment">//</span><span class="code-comment"> sample condition: if (a_tcp-&gt;addr.dest!=23) return;
</span>    <span class="code-comment">//</span><span class="code-comment"> in this simple app we follow each stream, so..
</span>      a_tcp-&gt;client.collect++; <span class="code-comment">//</span><span class="code-comment"> we want data received by a client
</span>      a_tcp-&gt;server.collect++; <span class="code-comment">//</span><span class="code-comment"> and by a server, too
</span>      a_tcp-&gt;server.collect_urg++; <span class="code-comment">//</span><span class="code-comment"> we want urgent data received by a
</span>                                   <span class="code-comment">//</span><span class="code-comment"> server
</span>      a_tcp-&gt;client.collect_urg++; <span class="code-comment">//</span><span class="code-comment"> if we don't increase this value,
</span>                                   <span class="code-comment">//</span><span class="code-comment"> we won't be notified of urgent data
</span>                                   <span class="code-comment">//</span><span class="code-comment"> arrival
</span>      <span class="code-keyword">return</span>;
    }
.
.
.
  <span class="code-keyword">if</span> (a_tcp-&gt;nids_state == NIDS_DATA)
    {
      <span class="code-comment">//</span><span class="code-comment"> new data has arrived; gotta determine in what direction
</span>      <span class="code-comment">//</span><span class="code-comment"> and if it's urgent or not
</span>
      <span class="code-keyword">struct</span> half_stream *hlf;

      <span class="code-comment">//</span><span class="code-comment"> So, we have some normal data to take care of.
</span>      <span class="code-keyword">if</span> (a_tcp-&gt;client.count_new)
      {
          <span class="code-comment">//</span><span class="code-comment"> new data for client
</span>          hlf = &amp;a_tcp-&gt;client; <span class="code-comment">//</span><span class="code-comment"> from now on, we will deal with hlf var,
</span>                                <span class="code-comment">//</span><span class="code-comment"> which will point to client side of conn
</span>      }
      <span class="code-keyword">else</span>
      {
        hlf = &amp;a_tcp-&gt;server; <span class="code-comment">//</span><span class="code-comment"> analogical
</span>      }
      <span class="code-comment">//</span><span class="code-comment">we send the newly arrived data
</span>      <span class="code-keyword">int</span> len = hlf-&gt;count_new;
      <span class="code-comment">//</span><span class="code-comment"> Marshal the data
</span>      <span class="code-keyword">array</span>[byte]^ data = <span class="code-keyword">gcnew</span> <span class="code-keyword">array</span>[byte](len);
      Marshal::Copy((<span class="code-sdkkeyword">IntPtr</span>)hlf-&gt;data,data,<span class="code-digit">0</span>, len);
      <span class="code-comment">//</span><span class="code-comment"> Send the data to the callback
</span>      <span class="code-keyword">if</span> (a_tcp-&gt;client.count_new)
        LibnidsWrapper::m_clientCallback(data,a_tcp-&gt;addr.saddr,
          a_tcp-&gt;addr.source,a_tcp-&gt;addr.daddr,a_tcp-&gt;addr.dest,<span class="code-keyword">false</span>);    
      <span class="code-keyword">else</span>
         LibnidsWrapper::m_serverCallback(data,a_tcp-&gt;addr.saddr,
           a_tcp-&gt;addr.source,a_tcp-&gt;addr.daddr,a_tcp-&gt;addr.dest,<span class="code-keyword">false</span>);    
    }
  <span class="code-keyword">return</span> ;
}</pre>

<h2><a name="Stillnotgoodenough6">Still not good enough</a></h2>

<p>I have discovered that only complete or nearly complete sessions get reassembled with libnids. This is usually enough for most people, but I need to check incomplete sessions as well. I usually work with WireShark on specific streams, and it has the ability to follow TCP streams, even incomplete streams. This is the ability I want to have as well.</p>

<h2><a name="Secondtry,hackingWireShark7">Second try, hacking WireShark</a></h2>

<p>Luckily, WireShark is an open source project. I stripped it open, and searched for the code that reconstructs the TCP session, and Walla! From here, all I had to do was to translate the ANSI C code to pure C#. The code was very intuitive and easy to follow, thanks for the guys at WireShark that did a good job.</p>

<p>This is the main function that reconstructs the TCP session:</p>

<div class="pre-action-link" id="premain2" width="100%" style="display:block"><img id="preimg2" src="./TCP Session Reconstruction Tool - CodeProject_files/minus.gif" height="9" width="9" preid="2" style="cursor: pointer;"><span id="precollapse2" preid="2" style="cursor: pointer; margin-bottom: 0px;"> Collapse</span><span> | </span><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" preid="2">Copy Code</a></div><pre lang="cs" id="pre2" style="margin-top: 0px;">    <span class="code-keyword">private</span> <span class="code-keyword">void</span> reassemble_tcp( <span class="code-keyword">ulong</span> sequence, <span class="code-keyword">ulong</span> length, <span class="code-keyword">byte</span>[] data,
                   <span class="code-keyword">ulong</span> data_length, <span class="code-keyword">bool</span> synflag, <span class="code-keyword">long</span> net_src,
                   <span class="code-keyword">long</span> net_dst, <span class="code-keyword">uint</span> srcport, <span class="code-keyword">uint</span> dstport) 
    {
       <span class="code-keyword">long</span> srcx, dstx;
       <span class="code-keyword">int</span> src_index, j;
       <span class="code-keyword">bool</span> first = <span class="code-keyword">false</span>;
       <span class="code-keyword">ulong</span> newseq;
       tcp_frag tmp_frag;

       src_index = -1;

       <span class="code-comment">/*</span><span class="code-comment"> Now check if the packet is for this connection. */</span>
        srcx = net_src;
        dstx = net_dst;

       <span class="code-comment">/*</span><span class="code-comment"> Check to see if we have seen this source IP and port before.
       (Yes, we have to check both source IP and port; the connection
       might be between two different ports on the same machine.) */</span>
       <span class="code-keyword">for</span>( j=0; j&lt;<span class="code-digit">2</span>; j++ ) {
           <span class="code-keyword">if</span> (src_addr[j] == srcx &amp;&amp; src_port[j] == srcport ) {
               src_index = j;
           }
       }
       <span class="code-comment">/*</span><span class="code-comment"> we didn't find it if src_index == -1 */</span>
       <span class="code-keyword">if</span>( src_index &lt; <span class="code-digit">0</span> ) {
           <span class="code-comment">/*</span><span class="code-comment"> assign it to a src_index and get going */</span>
           <span class="code-keyword">for</span>( j=0; j&lt;<span class="code-digit">2</span>; j++ ) {
               <span class="code-keyword">if</span>( src_port[j] == <span class="code-digit">0</span> ) {
                   src_addr[j] = srcx;
                   src_port[j] = srcport;
                   src_index = j;
                   first = <span class="code-keyword">true</span>;
                   <span class="code-keyword">break</span>;
               }
           }
       }
       <span class="code-keyword">if</span>( src_index &lt; <span class="code-digit">0</span> ) {
           <span class="code-keyword">throw</span> <span class="code-keyword">new</span> Exception(<span class="code-string">"</span><span class="code-string">ERROR in reassemble_tcp: Too many addresses!"</span>);
       }

       <span class="code-keyword">if</span>( data_length &lt; length ) {
           incomplete_tcp_stream = <span class="code-keyword">true</span>;
       }

       <span class="code-comment">/*</span><span class="code-comment"> now that we have filed away the srcs, lets get the sequence number stuff
       figured out */</span>
       <span class="code-keyword">if</span>( first ) {
           <span class="code-comment">/*</span><span class="code-comment"> this is the first time we have seen this src's sequence number */</span>
           seq[src_index] = sequence + length;
           <span class="code-keyword">if</span>( synflag ) {
               seq[src_index]++;
           }
           <span class="code-comment">/*</span><span class="code-comment"> write out the packet data */</span>
           write_packet_data( src_index, data );
           <span class="code-keyword">return</span>;
       }
       <span class="code-comment">/*</span><span class="code-comment"> if we are here, we have already seen this src, let's
       try and figure out if this packet is in the right place */</span>
       <span class="code-keyword">if</span>( sequence &lt; seq[src_index] ) {
           <span class="code-comment">/*</span><span class="code-comment"> this sequence number seems dated, but
           check the end to make sure it has no more
           info than we have already seen */</span>
           newseq = sequence + length;
           <span class="code-keyword">if</span>( newseq &gt; seq[src_index] ) {
               <span class="code-keyword">ulong</span> new_len;

               <span class="code-comment">/*</span><span class="code-comment"> this one has more than we have seen. let's get the
               payload that we have not seen. */</span>

               new_len = seq[src_index] - sequence;

               <span class="code-keyword">if</span> ( data_length &lt;= new_len ) {
                   data = <span class="code-keyword">null</span>;
                   data_length = <span class="code-digit">0</span>;
                   incomplete_tcp_stream = <span class="code-keyword">true</span>;
               } <span class="code-keyword">else</span> {
                   data_length -= new_len;
                   <span class="code-keyword">byte</span>[] tmpData = <span class="code-keyword">new</span> <span class="code-keyword">byte</span>[data_length];
                   <span class="code-keyword">for</span>(<span class="code-keyword">ulong</span> i=0; i&lt;data_length; /&gt; <span class="code-digit">0</span> &amp;&amp; sequence &gt; seq[src_index] ) {
               tmp_frag = <span class="code-keyword">new</span> tcp_frag();
               tmp_frag.data = data;
               tmp_frag.seq = sequence;
               tmp_frag.len = length;
               tmp_frag.data_len = data_length;
               
               <span class="code-keyword">if</span>( frags[src_index] != <span class="code-keyword">null</span> ) {
                   tmp_frag.next = frags[src_index];
               } <span class="code-keyword">else</span> {
                   tmp_frag.next = <span class="code-keyword">null</span>;
               }
               frags[src_index] = tmp_frag;
           }
       }
    } <span class="code-comment">/*</span><span class="code-comment"> end reassemble_tcp */</span></pre>

<p>O.K. We can reconstruct a session; now, all we need is to capture the packets and store each session separately.</p>

<h3><a name="Capturingthepackets8">Capturing the packets</a></h3>

<p>For this, I have used a great library I have found here at CodeProject, which is called SharpPcap, written by <a href="http://www.tamirgal.com/home/default.aspx" target="_blank">Tamir Gal</a>. For more info, you can check out this link on how to work with <a href="http://www.tamirgal.com/home/PageView.aspx?Item=SharpPcapTutorial" target="_blank">SharpPcap</a>.</p>

<p>Here is the code I have used to capture TCP packets:</p>

<div class="pre-action-link" id="premain3" width="100%" style="display:block"><img id="preimg3" src="./TCP Session Reconstruction Tool - CodeProject_files/minus.gif" height="9" width="9" preid="3" style="cursor: pointer;"><span id="precollapse3" preid="3" style="cursor: pointer; margin-bottom: 0px;"> Collapse</span><span> | </span><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" preid="3">Copy Code</a></div><pre lang="cs" id="pre3" style="margin-top: 0px;">    <span class="code-keyword">try</span>
    {
        <span class="code-comment">//</span><span class="code-comment">Get an offline file pcap device
</span>        device = SharpPcap.GetPcapOfflineDevice(capFile);
        <span class="code-comment">//</span><span class="code-comment">Open the device for capturing
</span>        device.PcapOpen();
    }
    <span class="code-keyword">catch</span> (Exception e)
    {
        Console.WriteLine(e.Message);
        <span class="code-keyword">return</span>;
    }

    <span class="code-comment">//</span><span class="code-comment">Register our handler function to the 'packet arrival' event
</span>    device.PcapOnPacketArrival +=
        <span class="code-keyword">new</span> SharpPcap.PacketArrivalEvent(device_PcapOnPacketArrival);

    <span class="code-comment">//</span><span class="code-comment"> add a filter so we get only tcp packets
</span>    device.PcapSetFilter(<span class="code-string">"</span><span class="code-string">tcp"</span>);

    <span class="code-comment">//</span><span class="code-comment">Start capture 'INFINTE' number of packets
</span>    <span class="code-comment">//</span><span class="code-comment">This method will return when EOF reached.
</span>    device.PcapCapture(SharpPcap.INFINITE);

    <span class="code-comment">//</span><span class="code-comment">Close the pcap device
</span>    device.PcapClose();</pre>

<h3><a name="Thefinaldesign9">The final design</a></h3>

<p>The design I used is a dictionary object that holds pairs of <code>(Connection, TcpRecon)</code> objects. <code>TcpRecon</code> holds a <code>FileStream</code> and the state of the TCP connection. It is responsible for the actual reconstruction of a TCP session and the storing of the session in its <code>FileStream</code>. <code>Connection</code> holds session information such as source IP, destination IP, source port, destination port, etc.</p>

<h3><a name="Makingitworktogether10">Making it work together</a></h3>

<p>The SharpPcap library callback searches for a matching connection in the dictionary. Next, the packet is fed to the correct <code>TcpRecon</code>, which in turn reconstructs the session.</p>

<div class="pre-action-link" id="premain4" width="100%" style="display:block"><img id="preimg4" src="./TCP Session Reconstruction Tool - CodeProject_files/minus.gif" height="9" width="9" preid="4" style="cursor: pointer;"><span id="precollapse4" preid="4" style="cursor: pointer; margin-bottom: 0px;"> Collapse</span><span> | </span><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" preid="4">Copy Code</a></div><pre lang="cs" id="pre4" style="margin-top: 0px;">    <span class="code-comment">//</span><span class="code-comment"> The callback function for the SharpPcap library
</span>    <span class="code-keyword">private</span> <span class="code-keyword">static</span> <span class="code-keyword">void</span> device_PcapOnPacketArrival(<span class="code-keyword">object</span> sender, Packet packet)
    {
        TCPPacket tcpPacket = (TCPPacket)packet;
        <span class="code-comment">//</span><span class="code-comment"> Creates a key for the dictionary
</span>        Connection c = <span class="code-keyword">new</span> Connection(tcpPacket);

        <span class="code-comment">//</span><span class="code-comment"> create a new entry if the key does not exists
</span>        <span class="code-keyword">if</span> (!sharpPcapDict.ContainsKey(c))
        {
            <span class="code-keyword">string</span> fileName = c.getFileName(path);
            TcpRecon tcpRecon = <span class="code-keyword">new</span> TcpRecon(fileName);
            sharpPcapDict.Add(c, tcpRecon);
        }

        <span class="code-comment">//</span><span class="code-comment"> Use the TcpRecon class to reconstruct the session
</span>        sharpPcapDict[c].ReassemblePacket(tcpPacket);
    }</pre>

<h2><a name="Howtousethistool11">How to use this tool</a></h2>

<p><strong>Note</strong> that you must have WinPcap installed in order to run TcpRecon!</p>

<div class="pre-action-link" id="premain5" width="100%" style="display:block"><img id="preimg5" src="./TCP Session Reconstruction Tool - CodeProject_files/minus.gif" height="9" width="9" preid="5" style="cursor: pointer;"><span id="precollapse5" preid="5" style="cursor: pointer; margin-bottom: 0px;"> Collapse</span><span> | </span><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" preid="5">Copy Code</a></div><pre lang="text" id="pre5" style="margin-top: 0px;">TcpRecon &lt;capture file name&gt; &lt;-nids&gt;
The -nids flag is used to activate the libnids reconstruction 
    instead of the built in functionality.
The tool will create session files of the form:
    &lt;server_ip&gt;.&lt;server_port&gt;-&lt;client_ip&gt;.&lt;client_port&gt;.data</pre>

<h2><a name="AdditionalInformation12">Additional information</a></h2>

<ul>
<li><a href="http://libnids.sourceforge.net/">Libnids project</a>[<a title="New Window" href="http://libnids.sourceforge.net/" target="_blank">^</a>]</li>

<li><a href="http://www.wireshark.org/">WireShark project</a>[<a title="New Window" href="http://www.wireshark.org/" target="_blank">^</a>]</li>

<li><a href="http://www.winpcap.org/">WinPcap</a>[<a title="New Window" href="http://www.winpcap.org/" target="_blank">^</a>] - A library that most sniffers rely on.</li>

<li><a href="http://www.winpcap.org/windump/">Windump</a>[<a title="New Window" href="http://www.winpcap.org/windump/" target="_blank">^</a>] - A command line sniffer tool for Windows.</li>

<li><a href="http://www.tamirgal.com/home/dev.aspx?Item=SharpPcap">SharpPcap project</a>[<a title="New Window" href="http://www.tamirgal.com/home/dev.aspx?Item=SharpPcap" target="_blank">^</a>]</li>
</ul>

<h2><a name="Thanks13">Thanks</a></h2>

<p>I would like to thank all the wonderful people behind the projects I've used to build this tool. Thank you for sharing.</p>

<h2><a name="History14">History</a></h2>

<ul>
<li>Version 1 - First Submission</li>

<li>Version 1.01 - Fixed handling of none TCP packets.</li>
</ul>


						</div>
						

						<div class="float-right" style="margin:20px 0 0 10px;border:1px solid #ccc">
						<div class="msg-300x250" data-format="300x250" data-type="ad" data-publisher="lqm.codeproject.site" data-zone="General-Programming/Internet-Network/Utilities" data-loadonview="true" data-tags="VC8.0, .NET2.0, VS2005, C#2.0, C++/CLI, Windows, Dev, Intermediate,rating4.5"><noscript>&lt;a href="http://ad.doubleclick.net/N6839/jump/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=300x250;ord=635590748409036705?"&gt;&lt;img src="http://ad.doubleclick.net/N6839/ad/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=300x250;ord=635590748409036705?"  width="300px" height="250px" /&gt;&lt;/a&gt;</noscript></div>
						</div>
                        
                        
						
						<h2>License</h2>
						<div id="LicenseTerms"><p>This article, along with any associated source code and files, is licensed under <a href="http://www.codeproject.com/info/cpol10.aspx" rel="license">The Code Project Open License (CPOL)</a></p></div>
						

                        
						<h2>Share</h2>
				        <div style="margin-bottom:40px;width:385px">
					        



<!-- Buttons start here. Copy this ul to your document. -->
<ul class="rrssb-buttons clearfix rrssb-1">
    <li class="email" data-initwidth="14.285714285714286" style="width: calc(100% - 252px);" data-size="37">

        <!-- Replace subject with your message using URL Endocding: http://meyerweb.com/eric/tools/dencoder/ -->
        <a href="mailto:?subject=TCP+Session+Reconstruction+Tool+-+CodeProject&body=http%3a%2f%2fwww.codeproject.com%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">
            <span class="icon">
                <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" x="0px" y="0px" width="28px" height="28px" viewBox="0 0 28 28" enable-background="new 0 0 28 28" xml:space="preserve"><g><path d="M20.111 26.147c-2.336 1.051-4.361 1.401-7.125 1.401c-6.462 0-12.146-4.633-12.146-12.265 c0-7.94 5.762-14.833 14.561-14.833c6.853 0 11.8 4.7 11.8 11.252c0 5.684-3.194 9.265-7.399 9.3 c-1.829 0-3.153-0.934-3.347-2.997h-0.077c-1.208 1.986-2.96 2.997-5.023 2.997c-2.532 0-4.361-1.868-4.361-5.062 c0-4.749 3.504-9.071 9.111-9.071c1.713 0 3.7 0.4 4.6 0.973l-1.169 7.203c-0.388 2.298-0.116 3.3 1 3.4 c1.673 0 3.773-2.102 3.773-6.58c0-5.061-3.27-8.994-9.303-8.994c-5.957 0-11.175 4.673-11.175 12.1 c0 6.5 4.2 10.2 10 10.201c1.986 0 4.089-0.43 5.646-1.245L20.111 26.147z M16.646 10.1 c-0.311-0.078-0.701-0.155-1.207-0.155c-2.571 0-4.595 2.53-4.595 5.529c0 1.5 0.7 2.4 1.9 2.4 c1.441 0 2.959-1.828 3.311-4.087L16.646 10.068z"></path></g></svg>
            </span>
            <span class="text">email</span>
        </a>
    </li>
    <li class="twitter small" data-initwidth="14.285714285714286" style="width: 42px;" data-size="52">
        <!-- Replace href with your Meta and URL information  -->
        <a href="http://twitter.com/home?status=TCP+Session+Reconstruction+Tool+-+CodeProject%20http%3a%2f%2fwww.codeproject.com%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool" class="popup">
            <span class="icon">
                <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="28px" height="28px" viewBox="0 0 28 28" enable-background="new 0 0 28 28" xml:space="preserve">
                <path d="M24.253,8.756C24.689,17.08,18.297,24.182,9.97,24.62c-3.122,0.162-6.219-0.646-8.861-2.32
                    c2.703,0.179,5.376-0.648,7.508-2.321c-2.072-0.247-3.818-1.661-4.489-3.638c0.801,0.128,1.62,0.076,2.399-0.155
                    C4.045,15.72,2.215,13.6,2.115,11.077c0.688,0.275,1.426,0.407,2.168,0.386c-2.135-1.65-2.729-4.621-1.394-6.965
                    C5.575,7.816,9.54,9.84,13.803,10.071c-0.842-2.739,0.694-5.64,3.434-6.482c2.018-0.623,4.212,0.044,5.546,1.683
                    c1.186-0.213,2.318-0.662,3.329-1.317c-0.385,1.256-1.247,2.312-2.399,2.942c1.048-0.106,2.069-0.394,3.019-0.851
                    C26.275,7.229,25.39,8.196,24.253,8.756z"></path>
                </svg>
            </span>
            <span class="text">twitter</span>
        </a>
    </li>

    <li class="facebook small" data-initwidth="14.285714285714286" style="width: 42px;" data-size="63">
        <!-- Replace with your URL. For best results, make sure you page has the proper FB Open Graph tags in header: 
        https://developers.facebook.com/docs/opengraph/howtos/maximizing-distribution-media-content/ -->
        <a href="https://www.facebook.com/sharer/sharer.php?u=http%3a%2f%2fwww.codeproject.com%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool" class="popup">
            <span class="icon">
                <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="28px" height="28px" viewBox="0 0 28 28" enable-background="new 0 0 28 28" xml:space="preserve">
                    <path d="M27.825,4.783c0-2.427-2.182-4.608-4.608-4.608H4.783c-2.422,0-4.608,2.182-4.608,4.608v18.434
                        c0,2.427,2.181,4.608,4.608,4.608H14V17.379h-3.379v-4.608H14v-1.795c0-3.089,2.335-5.885,5.192-5.885h3.718v4.608h-3.726
                        c-0.408,0-0.884,0.492-0.884,1.236v1.836h4.609v4.608h-4.609v10.446h4.916c2.422,0,4.608-2.188,4.608-4.608V4.783z"></path>
                </svg>
            </span>
            <span class="text">facebook</span>
        </a>
    </li>
    
    <li class="linkedin small" data-initwidth="14.285714285714286" style="width: 42px;" data-size="56">
        <!-- Replace href with your meta and URL information -->
        <a href="http://www.linkedin.com/shareArticle?mini=true&url=http%3a%2f%2fwww.codeproject.com%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool&title=TCP+Session+Reconstruction+Tool+-+CodeProject" class="popup">
            <span class="icon">
                <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="28px" height="28px" viewBox="0 0 28 28" enable-background="new 0 0 28 28" xml:space="preserve">
                    <path d="M25.424,15.887v8.447h-4.896v-7.882c0-1.979-0.709-3.331-2.48-3.331c-1.354,0-2.158,0.911-2.514,1.803
                        c-0.129,0.315-0.162,0.753-0.162,1.194v8.216h-4.899c0,0,0.066-13.349,0-14.731h4.899v2.088c-0.01,0.016-0.023,0.032-0.033,0.048
                        h0.033V11.69c0.65-1.002,1.812-2.435,4.414-2.435C23.008,9.254,25.424,11.361,25.424,15.887z M5.348,2.501
                        c-1.676,0-2.772,1.092-2.772,2.539c0,1.421,1.066,2.538,2.717,2.546h0.032c1.709,0,2.771-1.132,2.771-2.546
                        C8.054,3.593,7.019,2.501,5.343,2.501H5.348z M2.867,24.334h4.897V9.603H2.867V24.334z"></path>
                </svg>
            </span>
            <span class="text">linkedin</span>
        </a>
    </li>
    <li class="reddit small" data-initwidth="14.285714285714286" style="width: 42px;" data-size="43">
        <a href="http://www.reddit.com/submit?url=http%3a%2f%2fwww.codeproject.com%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">
            <span class="icon">
                <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" x="0px" y="0px" width="28px" height="28px" viewBox="0 0 28 28" enable-background="new 0 0 28 28" xml:space="preserve"><g>
                <path d="M11.794 15.316c0-1.029-0.835-1.895-1.866-1.895c-1.03 0-1.893 0.865-1.893 1.895s0.863 1.9 1.9 1.9 C10.958 17.2 11.8 16.3 11.8 15.316z"></path>
                <path d="M18.1 13.422c-1.029 0-1.895 0.864-1.895 1.895c0 1 0.9 1.9 1.9 1.865c1.031 0 1.869-0.836 1.869-1.865 C19.969 14.3 19.1 13.4 18.1 13.422z"></path>
                <path d="M17.527 19.791c-0.678 0.678-1.826 1.006-3.514 1.006c-0.004 0-0.009 0-0.014 0c-0.004 0-0.01 0-0.015 0 
                c-1.686 0-2.834-0.328-3.51-1.005c-0.264-0.265-0.693-0.265-0.958 0c-0.264 0.265-0.264 0.7 0 1 c0.943 0.9 2.4 1.4 
                4.5 1.402c0.005 0 0 0 0 0c0.005 0 0 0 0 0c2.066 0 3.527-0.459 4.47-1.402 c0.265-0.264 0.265-0.693 0.002-0.958C18.221 
                19.5 17.8 19.5 17.5 19.791z"></path><path d="M27.707 13.267c0-1.785-1.453-3.237-3.236-3.237c-0.793 0-1.518 0.287-2.082 
                0.761c-2.039-1.295-4.646-2.069-7.438-2.219 l1.483-4.691l4.062 0.956c0.071 1.4 1.3 2.6 2.7 2.555c1.488 0 2.695-1.208 
                2.695-2.695C25.881 3.2 24.7 2 23.2 2 c-1.059 0-1.979 0.616-2.42 1.508l-4.633-1.091c-0.344-0.081-0.693 0.118-0.803 
                0.455l-1.793 5.7 C10.548 8.6 7.7 9.4 5.6 10.75C5.006 10.3 4.3 10 3.5 10.029c-1.785 0-3.237 1.452-3.237 3.2 c0 1.1 0.6 
                2.1 1.4 2.69c-0.04 0.272-0.061 0.551-0.061 0.831c0 2.3 1.3 4.4 3.7 5.9 c2.299 1.5 5.3 2.3 8.6 2.325c3.228 0 6.271-0.825 
                8.571-2.325c2.387-1.56 3.7-3.66 3.7-5.917 c0-0.26-0.016-0.514-0.051-0.768C27.088 15.5 27.7 14.4 27.7 13.267z M23.186 
                3.355c0.74 0 1.3 0.6 1.3 1.3 c0 0.738-0.6 1.34-1.34 1.34s-1.342-0.602-1.342-1.34C21.844 4 22.4 3.4 23.2 3.355z M1.648 
                13.3 c0-1.038 0.844-1.882 1.882-1.882c0.31 0 0.6 0.1 0.9 0.209c-1.049 0.868-1.813 1.861-2.26 2.9 C1.832 14.2 1.6 13.8 1.6 
                13.267z M21.773 21.57c-2.082 1.357-4.863 2.105-7.831 2.105c-2.967 0-5.747-0.748-7.828-2.105 
                c-1.991-1.301-3.088-3-3.088-4.782c0-1.784 1.097-3.484 3.088-4.784c2.081-1.358 4.861-2.106 7.828-2.106 c2.967 0 5.7 
                0.7 7.8 2.106c1.99 1.3 3.1 3 3.1 4.784C24.859 18.6 23.8 20.3 21.8 21.57z M25.787 14.6 
                c-0.432-1.084-1.191-2.095-2.244-2.977c0.273-0.156 0.59-0.245 0.928-0.245c1.035 0 1.9 0.8 1.9 1.9 
                C26.354 13.8 26.1 14.3 25.8 14.605z"></path></g></svg>
            </span>
            <span class="text">reddit</span>
        </a>
    </li>
    <li class="googleplus small" data-initwidth="14.285714285714286" style="width: 42px;" data-size="57">
        <!-- Replace href with your meta and URL information.  -->
        <a href="https://plus.google.com/share?url=Check%20out%20TCP+Session+Reconstruction+Tool+-+CodeProject%20http%3a%2f%2fwww.codeproject.com%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool" class="popup">
            <span class="icon">
                <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="28px" height="28px" viewBox="0 0 28 28" enable-background="new 0 0 28 28" xml:space="preserve">
                    <g>
                        <g>
                            <path d="M14.703,15.854l-1.219-0.948c-0.372-0.308-0.88-0.715-0.88-1.459c0-0.748,0.508-1.223,0.95-1.663
                                c1.42-1.119,2.839-2.309,2.839-4.817c0-2.58-1.621-3.937-2.399-4.581h2.097l2.202-1.383h-6.67c-1.83,0-4.467,0.433-6.398,2.027
                                C3.768,4.287,3.059,6.018,3.059,7.576c0,2.634,2.022,5.328,5.604,5.328c0.339,0,0.71-0.033,1.083-0.068
                                c-0.167,0.408-0.336,0.748-0.336,1.324c0,1.04,0.551,1.685,1.011,2.297c-1.524,0.104-4.37,0.273-6.467,1.562
                                c-1.998,1.188-2.605,2.916-2.605,4.137c0,2.512,2.358,4.84,7.289,4.84c5.822,0,8.904-3.223,8.904-6.41
                                c0.008-2.327-1.359-3.489-2.829-4.731H14.703z M10.269,11.951c-2.912,0-4.231-3.765-4.231-6.037c0-0.884,0.168-1.797,0.744-2.511
                                c0.543-0.679,1.489-1.12,2.372-1.12c2.807,0,4.256,3.798,4.256,6.242c0,0.612-0.067,1.694-0.845,2.478
                                c-0.537,0.55-1.438,0.948-2.295,0.951V11.951z M10.302,25.609c-3.621,0-5.957-1.732-5.957-4.142c0-2.408,2.165-3.223,2.911-3.492
                                c1.421-0.479,3.25-0.545,3.555-0.545c0.338,0,0.52,0,0.766,0.034c2.574,1.838,3.706,2.757,3.706,4.479
                                c-0.002,2.073-1.736,3.665-4.982,3.649L10.302,25.609z"></path>
                            <polygon points="23.254,11.89 23.254,8.521 21.569,8.521 21.569,11.89 18.202,11.89 18.202,13.604 21.569,13.604 21.569,17.004
                                23.254,17.004 23.254,13.604 26.653,13.604 26.653,11.89      "></polygon>
                        </g>
                    </g>
                </svg>
            </span>
            <span class="text">google+</span>
        </a>
    </li>
    
    <li class="pinterest small" data-initwidth="14.285714285714286" style="width: 42px;" data-size="63">
        <!-- Replace href with your meta and URL information.  -->
        <a href="http://pinterest.com/pin/create/button/?url=http%3a%2f%2fwww.codeproject.com%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool&media=http://kurtnoble.com/labs/rrssb/media/facebook-share.jpg&description=TCP+Session+Reconstruction+Tool+-+CodeProject">
            <span class="icon">
                <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="28px" height="28px" viewBox="0 0 28 28" enable-background="new 0 0 28 28" xml:space="preserve">
                <path d="M14.021,1.57C6.96,1.57,1.236,7.293,1.236,14.355c0,7.062,5.724,12.785,12.785,12.785c7.061,0,12.785-5.725,12.785-12.785
                    C26.807,7.294,21.082,1.57,14.021,1.57z M15.261,18.655c-1.161-0.09-1.649-0.666-2.559-1.219c-0.501,2.626-1.113,5.145-2.925,6.458
                    c-0.559-3.971,0.822-6.951,1.462-10.116c-1.093-1.84,0.132-5.545,2.438-4.632c2.837,1.123-2.458,6.842,1.099,7.557
                    c3.711,0.744,5.227-6.439,2.925-8.775c-3.325-3.374-9.678-0.077-8.897,4.754c0.19,1.178,1.408,1.538,0.489,3.168
                    C7.165,15.378,6.53,13.7,6.611,11.462c0.131-3.662,3.291-6.227,6.46-6.582c4.007-0.448,7.771,1.474,8.29,5.239
                    c0.579,4.255-1.816,8.865-6.102,8.533L15.261,18.655z"></path>
                </svg>
            </span>
            <span class="text">pinterest</span>
        </a>
    </li>
</ul>
<!-- Buttons end here -->

				        </div> 
    			        


						
						<h2 id="ctl00_AboutHeading">About the Author</h2>
						

<div class="container">
<div style="width:210px;overflow:hidden;float:left;text-align:center">
	<img id="ctl00_AboutAuthorRptr_ctl00_AboutAuthor_memberPhoto" class="profile-pic" src="./TCP Session Reconstruction Tool - CodeProject_files/member_unknown.gif" style="border-width:0px;transform:rotate(3deg);">
</div>
<div class="container-member float-left" style="margin:35px 15px 0 0;">
	<b><a id="ctl00_AboutAuthorRptr_ctl00_AboutAuthor_memberProfileLink" class="author" href="http://www.codeproject.com/Members/Saar-Yahalom">Saar Yahalom</a></b>
	<div class="company">
		<span id="ctl00_AboutAuthorRptr_ctl00_AboutAuthor_memberJobTitle">Software Developer</span>
		<span id="ctl00_AboutAuthorRptr_ctl00_AboutAuthor_memberCompany">Microsoft</span> 
		<br><span id="ctl00_AboutAuthorRptr_ctl00_AboutAuthor_memberLocation">Israel <img src="./TCP Session Reconstruction Tool - CodeProject_files/IL.gif" alt="Israel" width="16px" height="11px"></span>
	</div>
</div>
	
<div class="padded-top float-left clearfix">
	Saar, has been programing since 1997. He enjoys taking things a part and designing simple solutions to complex problems. Currently, works for Microsoft writing in a variety of languages and flavors. During the last year he is taking a closer look into mobile and web development.

	

	
</div>
</div><br>
						
						

						<div class="clearfix"></div>

						<div style="padding-top:8px">
							
						</div>

						
						<div style="margin:auto;height:90px;margin-top:10px;Widt:730px"> 
							<div class="msg-728x90" data-format="728x90" data-type="ad" data-publisher="lqm.codeproject.site" data-zone="General-Programming/Internet-Network/Utilities" data-loadonview="true" data-tags="VC8.0, .NET2.0, VS2005, C#2.0, C++/CLI, Windows, Dev, Intermediate,rating4.5,pos_bottom"><noscript>&lt;a href="http://ad.doubleclick.net/N6839/jump/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=728x90;ord=635590748409036705?"&gt;&lt;img src="http://ad.doubleclick.net/N6839/ad/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=728x90;ord=635590748409036705?"  width="728px" height="90px" /&gt;&lt;/a&gt;</noscript></div>
						</div>
						
					

				    
					</form>

				</div>

				
				

					<h2>Comments and Discussions</h2>
					<a class="float-left" name="_comments" id="_comments">&nbsp;</a><div id="_MessageBoardctl00_MessageBoard" onclick="return SwitchMessage(event, null)">
<table id="ForumTable" class="forum relaxed" cellpadding="0" cellspacing="0">
<tbody><tr>
<td class="header1 callout"><b>You must <a href="https://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool%3ffid%3d459722%26df%3d90%26mpp%3d25%26noise%3d3%26prof%3dFalse%26sort%3dPosition%26view%3dNormal%26spc%3dRelaxed">Sign In</a> to use this message board.</b></td>
</tr><tr>
<td><table width="100%" border="0" cellpadding="3px" cellspacing="0">
<tbody><tr class="header1">
<td colspan="2" style="white-space:nowrap;"><div class="container">
<div class="float-right">

</div>
</div></td>
</tr><tr class="header2">
<td></td><td style="width:100%;"><div style="text-align:right;">
<form action="http://www.codeproject.com/script/Forums/SetOptions.aspx?floc=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool&fid=459722&df=90&mpp=25&noise=3&prof=False&sort=Position&view=Normal&spc=Relaxed" method="get" style="margin:0;padding:0;">
<input type="hidden" name="fid" value="459722"><input type="hidden" name="currentQS" value="?floc=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool&amp;fid=459722&amp;df=90&amp;mpp=25&amp;noise=3&amp;prof=False&amp;sort=Position&amp;view=Normal&amp;spc=Relaxed"><input type="hidden" name="floc" value="/Articles/20501/TCP-Session-Reconstruction-Tool"><input type="checkbox" name="prof" id="prof" style="vertical-align:middle;"><label for="prof">Profile popups</label>&nbsp;&nbsp;&nbsp;&nbsp;Spacing<select size="1" class="dropdown" name="spc">
<option selected="" value="Relaxed">Relaxed</option><option value="Compact">Compact</option><option value="Tight">Tight</option>
</select>&nbsp;&nbsp;Noise<select size="1" class="dropdown" name="noise">
<option value="1">Very High</option><option value="2">High</option><option selected="" value="3">Medium</option><option value="4">Low</option><option value="5">Very Low</option>
</select>&nbsp;&nbsp;Layout<select size="1" class="dropdown" name="view">
<option selected="" value="Normal">Normal</option><option value="Topic">Open Topics</option><option value="Expanded">Open All</option><option value="Thread">Thread View</option>
</select>&nbsp;&nbsp;Per page<select size="1" class="dropdown" name="mpp">
<option value="10">10</option><option selected="" value="25">25</option><option value="50">50</option>
</select>&nbsp;&nbsp;&nbsp;<input type="submit" value="Update" name="SetOpt" class="button">
</form>
</div></td>
</tr>
</tbody></table></td>
</tr><tr>
<td><a name="xx0xx"></a><table border="0" cellpadding="2px" cellspacing="0" width="100%">
<tbody><tr class="navbar">
<td></td><td style="text-align:right;width:50%;"></td><td style="text-align:right;white-space:nowrap;"><span class="nav-link disabled">First</span> <span class="nav-link disabled">Prev</span><a class="nav-link" name="Frm_HoverNL" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&noise=3&prof=False&sort=Position&view=Normal&spc=Relaxed&fr=26#xx0xx">Next</a></td>
</tr>
</tbody></table></td>
</tr><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%" class="fixed-layout blank-background">
<tbody><tr>
<td><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" border="0" width="1px" height="5px" alt=""></td>
</tr><tr id="F4485511_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx4485511xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_question.gif" alt="Question"></td><td class="subject hover-container"><a class="message-link" name="4485511" parent="0" thread="4485511" href="http://www.codeproject.com/Messages/4485511/Include-reconstruction-of-live-tcp-packets.aspx">Include reconstruction of live tcp packets</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=7779062">igedu1</a></td><td class="date">31-Jan-13  15:19&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F4485511_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="7779062" msgid="4485511" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">Thanks for the project can you include reconstruction of live tcp packets please?as trying to remove capfile as suggested is proving to be daunting.<br>
Thanks a million<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=4485511" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/4485511/Include-reconstruction-of-live-tcp-packets.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF4485511" data-ref="3_4485511" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F4145593_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx4145593xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_question.gif" alt="Question"></td><td class="subject hover-container"><a class="message-link" name="4145593" parent="0" thread="4145593" href="http://www.codeproject.com/Messages/4145593/Q-Use-Generated-Data-Files.aspx">[Q] Use Generated Data Files</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=1782435">Member 1782435</a></td><td class="date">1-Feb-12  22:56&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F4145593_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="1782435" msgid="4145593" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">Hi,<br>
Please help me know how to use generated data files to make html files.<br>
Best Regards,<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=4145593" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/4145593/Q-Use-Generated-Data-Files.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF4145593" data-ref="3_4145593" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3754328_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx3754328xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3754328" parent="0" thread="3754328" href="http://www.codeproject.com/Messages/3754328/little-question.aspx">little question</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=6247824">sharok89</a></td><td class="date">1-Feb-11  0:11&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3754328_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="6247824" msgid="3754328" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">Hi. First of all thanks for the project.<br>
I'm trying to modify the code to my needs. And I have a question. I want to write to a file only after the session is finished. I know about flag FIN, but can't figure out where to use them. <br>
Could you help me?<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3754328" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3754328/little-question.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3754328" data-ref="3_3754328" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3754904_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="38px" class="indent"><a name="xx3754904xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3754904" parent="3754328" thread="3754328" href="http://www.codeproject.com/Messages/3754904/Re-little-question.aspx">Re: little question</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602">Saar Yahalom</a></td><td class="date">1-Feb-11  7:34&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3754904_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:38px;"><div class="voteform vertical" ownerid="305602" msgid="3754904" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="38px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,3754328);" href="http://www.codeproject.com/Messages/3754328/little-question.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Hi,<br>
&nbsp;<br>
The program as it is written now handles each packet in the pcap file. <br>
Each packet is written immediately to a file. To make the changes you are talking about, <br>
will require to store all the packets in memory until a FIN packet is received. <br>
It is acceptable for a single session but not for multiple concurrent sessions.<br>
&nbsp;<br>
My suggestion is to either to run the code as is, and treat the output files as temporary ones, <br>
later on when the reconstruction of the whole pcap file is completed, keep only the files you interested in.<br>
&nbsp;<br>
Or, a different and a bit more complicated approach is to change the code to listen for a specific session and change the TcpRecon FileStream to a MemoryStream. Last, you will need to change the function ReassemblePacket to check for the FIN flag and at that moment you can save the memory stream and stop the reconstruction.<br>
&nbsp;<br>
Note, that are sessions that are incomplete i.e. they do not contain the FIN flag as it was not captured or the session was broken by a number of different reasons.<br>
&nbsp;<br>
Cheers,<br>
-Saar<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3754328" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3754904/Re-little-question.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3754904" data-ref="3_3754904" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3755136_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="56px" class="indent"><a name="xx3755136xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3755136" parent="3754904" thread="3754328" href="http://www.codeproject.com/Messages/3755136/Re-little-question.aspx">Re: little question</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=6247824">sharok89</a></td><td class="date">1-Feb-11  12:21&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3755136_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:56px;"><div class="voteform vertical" ownerid="6247824" msgid="3755136" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="56px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,3754904);" href="http://www.codeproject.com/Messages/3754904/Re-little-question.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Thanks for reply. <br>
Yes, I defined ArrayList for response and request. And now seems to work. Bad that not all closed session. For example, TheBat does not send a FIN (strange it is that). I have defined a timeout variable. After which, I have to manually close the session and parse it. The bad is that I have to wait for the timeout, I set 15 seconds.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3754328" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3755136/Re-little-question.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3755136" data-ref="3_3755136" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3660239_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx3660239xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3660239" parent="0" thread="3660239" href="http://www.codeproject.com/Messages/3660239/very-nice-work.aspx">very nice work</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=6962372">L667</a></td><td class="date">8-Nov-10  11:27&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3660239_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="6962372" msgid="3660239" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">shalom saar,<br>
very nice work,<br>
got a couple of questions for you:<br>
&nbsp;<br>
you reconstruct both sides of the session together in one stream,<br>
is there any way to tweak the code so that each side of the conversation would be constructed separately?<br>
&nbsp;<br>
and also, how would this tool handle packets that came in the wrong order?<br>
if, lets say,  I'll randomize the order of the packets, would it still work?<br>
&nbsp;<br>
thanks a lot,<br>
lev.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3660239" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3660239/very-nice-work.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3660239" data-ref="3_3660239" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3660310_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="38px" class="indent"><a name="xx3660310xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3660310" parent="3660239" thread="3660239" href="http://www.codeproject.com/Messages/3660310/Re-very-nice-work.aspx">Re: very nice work</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602">Saar Yahalom</a></td><td class="date">8-Nov-10  13:26&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3660310_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:38px;"><div class="voteform vertical" ownerid="305602" msgid="3660310" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="38px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,3660239);" href="http://www.codeproject.com/Messages/3660239/very-nice-work.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Hi Lev,<br>
&nbsp;<br>
You can tweak the code so that each side will be constructed separately. You will just need to dump the packets into different files (e.g serverData, clientData).<br>
An easy way to achieve this is to play with the hash value of the connection class so its hash value won't be symmetric.<br>
&nbsp;<br>
The code handles out of order packets, in the same manner that most TCP stacks do, it ignores them. <br>
That means that a random order session will not be reconstructed but a session with a few out of order packets will be reconstructed without a problem.<br>
&nbsp;<br>
The rule of thumb is: "If the both sides of the session communicated correctly, the tool will be able to reconstruct their session".<br>
&nbsp;<br>
Hope this helps,<br>
-Saar<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3660239" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3660310/Re-very-nice-work.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3660310" data-ref="3_3660310" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3269911_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx3269911xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3269911" parent="0" thread="3269911" href="http://www.codeproject.com/Messages/3269911/thanks-for-the-tool-check-out-the-java-version.aspx">thanks for the tool - check out the java version</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=2444758">mbharadwaj</a></td><td class="date">12-Nov-09  7:02&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3269911_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="2444758" msgid="3269911" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">hi there,<br>
&nbsp;<br>
we had to solve a tcp session reconstruction problem for a requirement we had and we referred to your project. we were using jpcap. the result of this effort was released as an open source project recently. here it is: http://code.google.com/p/pcap-reconst/<br>
&nbsp;<br>
regards<br>
manoj<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3269911" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3269911/thanks-for-the-tool-check-out-the-java-version.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3269911" data-ref="3_3269911" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3091760_h0" class="header hover-row root">
<td class="subject-line normal  vote-hi" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx3091760xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3091760" parent="0" thread="3091760" href="http://www.codeproject.com/Messages/3091760/bug-with-MTU-size-caused-by-SharpPcap.aspx">bug with MTU size caused by SharpPcap</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=5129932">Guy Shtub</a></td><td class="date">22-Jun-09  23:26&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3091760_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="5129932" msgid="3091760" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">I spent quite a few hours trying to find out why I can not reassemble a TCP seesion using TCPRecon with SharpPcap. <br>
The reason was my MTU size was small (120) and this caused some out of bounds exception in SharpPcap. <br>
I will open a thread about this on SharpPcap, but maybe this will help someone here as well <img src="./TCP Session Reconstruction Tool - CodeProject_files/smiley_smile.gif" align="top" alt="Smile | :)"> <br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3091760" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3091760/bug-with-MTU-size-caused-by-SharpPcap.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3091760" data-ref="3_3091760" class="rating-label" style="white-space:nowrap;"><span>5.00/5 (1 vote)</span></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3089601_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx3089601xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="3089601" parent="0" thread="3089601" href="http://www.codeproject.com/Messages/3089601/reassembly-in-real-time-instead-of-from-a-file.aspx">reassembly in real time instead of from a file</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=5129932">Guy Shtub</a></td><td class="date">21-Jun-09  4:38&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3089601_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="5129932" msgid="3089601" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">First of all thanks for a great project, got my 5 <img src="./TCP Session Reconstruction Tool - CodeProject_files/smiley_smile.gif" align="top" alt="Smile | :)"> <br>
&nbsp;<br>
How would you go about adding the functionality of capturing from a device and reassembling tcp sessions as the packets are received instead of doing so from a file?<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3089601" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3089601/reassembly-in-real-time-instead-of-from-a-file.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3089601" data-ref="3_3089601" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F3089691_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="38px" class="indent"><a name="xx3089691xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_answer.gif" alt="Answer"></td><td class="subject hover-container"><a class="message-link" name="3089691" parent="3089601" thread="3089601" href="http://www.codeproject.com/Messages/3089691/Re-reassembly-in-real-time-instead-of-from-a-file.aspx">Re: reassembly in real time instead of from a file</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602">Saar Yahalom</a></td><td class="date">21-Jun-09  7:54&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F3089691_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:38px;"><div class="voteform vertical" ownerid="305602" msgid="3089691" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="38px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,3089601);" href="http://www.codeproject.com/Messages/3089601/reassembly-in-real-time-instead-of-from-a-file.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Hi,<br>
&nbsp;<br>
Thanks for the feedback.<br>
&nbsp;<br>
I think that what you are looking for is changing:<br>
<pre>device = SharpPcap.GetPcapOfflineDevice(capFile);</pre>
to<br>
<pre>PcapDeviceList devices = SharpPcap.GetAllDevices();
<span class="code-comment">//</span><span class="code-comment">Extract a device from the list
</span>device = devices[<span class="code-digit">0</span>];
<span class="code-comment">//</span><span class="code-comment">Open the device for capturing
</span><span class="code-comment">//</span><span class="code-comment">true -- means promiscuous mode
</span><span class="code-comment">//</span><span class="code-comment">1000 -- means a read wait of 1000ms
</span>device.PcapOpen(<span class="code-keyword">true</span>, <span class="code-digit">1000</span>);
.
.
.
<span class="code-comment">//</span><span class="code-comment">Start capture 'INFINTE' number of packets
</span><span class="code-comment">//</span><span class="code-comment">This method will return when EOF reached.
</span>device.PcapCapture(<span class="code-digit">1000</span> <span class="code-comment">/*</span><span class="code-comment"> The number of packets you want to capture */</span>);
</pre> <br>
&nbsp;<br>
Cheers,<br>
Saar Yahalom.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=3089601" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/3089691/Re-reassembly-in-real-time-instead-of-from-a-file.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF3089691" data-ref="3_3089691" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2999719_h0" class="header hover-row root">
<td class="subject-line normal  vote-lo" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx2999719xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="2999719" parent="0" thread="2999719" href="http://www.codeproject.com/Messages/2999719/error-while-runing-the-code.aspx">error while runing the code</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=5764324">Deven Nikam</a></td><td class="date">9-Apr-09  20:43&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2999719_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="5764324" msgid="2999719" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">hello sir,<br>
i m not able to run the code it shows me the error as "file not found"...<br>
i guess i am not able to get the file input properly...<br>
also i want to ask if i have to capture packets directly from network...what changes should i do?...<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2999719" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2999719/error-while-runing-the-code.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2999719" data-ref="3_2999719" class="rating-label" style="white-space:nowrap;"><span>1.00/5 (1 vote)</span></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2814603_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx2814603xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_question.gif" alt="Question"></td><td class="subject hover-container"><a class="message-link" name="2814603" parent="0" thread="2814603" href="http://www.codeproject.com/Messages/2814603/Message-Deleted.aspx">[Message Deleted]</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=5713611">mycl</a></td><td class="date">20-Nov-08  11:31&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2814603_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="5713611" msgid="2814603" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2814603" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2814603/Message-Deleted.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2814603" data-ref="3_2814603" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2816407_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="38px" class="indent"><a name="xx2816407xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_answer.gif" alt="Answer"></td><td class="subject hover-container"><a class="message-link" name="2816407" parent="2814603" thread="2814603" href="http://www.codeproject.com/Messages/2816407/Re-Commview-to-cap-cap-to-pcap-Cant-read-with-TcpR.aspx">Re: Commview to cap, cap to pcap. Can't read with TcpRecon this pcap.</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602">Saar Yahalom</a></td><td class="date">22-Nov-08  6:12&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2816407_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:38px;"><div class="voteform vertical" ownerid="305602" msgid="2816407" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="38px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,2814603);" href="http://www.codeproject.com/Messages/2814603/Message-Deleted.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Have you tried to open the .cap file directly in TcpRecon ?<br>
This might do the trick. <br>
&nbsp;<br>
Otherwise I will have to have a copy of the .pcap file that is not supported, and see if I can do something about it. If the SharpPcap library does not support the file, I'm afraid I will not have a simple solution other then to start debugging the SharpPcap library.<br>
&nbsp;<br>
Let me know if you need help with something,<br>
Saar.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2814603" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2816407/Re-Commview-to-cap-cap-to-pcap-Cant-read-with-TcpR.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2816407" data-ref="3_2816407" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2816617_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="56px" class="indent"><a name="xx2816617xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_answer.gif" alt="Answer"></td><td class="subject hover-container"><a class="message-link" name="2816617" parent="2816407" thread="2814603" href="http://www.codeproject.com/Messages/2816617/Message-Deleted.aspx">[Message Deleted]</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=5713611">mycl</a></td><td class="date">22-Nov-08  12:06&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2816617_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:56px;"><div class="voteform vertical" ownerid="5713611" msgid="2816617" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="56px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,2816407);" href="http://www.codeproject.com/Messages/2816407/Re-Commview-to-cap-cap-to-pcap-Cant-read-with-TcpR.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div><br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2814603" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2816617/Message-Deleted.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2816617" data-ref="3_2816617" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2816624_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="74px" class="indent"><a name="xx2816624xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="2816624" parent="2816617" thread="2814603" href="http://www.codeproject.com/Messages/2816624/Re-Commview-to-cap-cap-to-pcap-Cant-read-with-TcpR.aspx">Re: Commview to cap, cap to pcap. Can't read with TcpRecon this pcap.</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602">Saar Yahalom</a></td><td class="date">22-Nov-08  12:35&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2816624_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:74px;"><div class="voteform vertical" ownerid="305602" msgid="2816624" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="74px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,2816617);" href="http://www.codeproject.com/Messages/2816617/Message-Deleted.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Hi,<br>
&nbsp;<br>
I took a look at the .ncl file format at this link (<a href="http://www.tamos.com/htmlhelp/commview/logformat.htm">http://www.tamos.com/htmlhelp/commview/logformat.htm</a>[<a href="http://www.tamos.com/htmlhelp/commview/logformat.htm" target="_blank" title="New Window">^</a>]). The idea I have is like this:<br>
&nbsp;<br>
1. Read the first two bytes and cast them to short (shortDataLength)<br>
2. Read the other 22 header bytes and throw them away.<br>
3. Read shortDataLength bytes into a byte array (byteArrData)<br>
4. Create a SharpPcap Tcp packet from the byte array<br>
5. Feed this packet to TcpRecon<br>
6. Goto 1.<br>
&nbsp;<br>
This is the basic idea, You still need to play with my code a bit, to make it work but I think you can have it done in a couple of hours. <br>
&nbsp;<br>
Hope this helps,<br>
Saar.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2814603" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2816624/Re-Commview-to-cap-cap-to-pcap-Cant-read-with-TcpR.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2816624" data-ref="3_2816624" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2724889_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx2724889xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_question.gif" alt="Question"></td><td class="subject hover-container"><a class="message-link" name="2724889" parent="0" thread="2724889" href="http://www.codeproject.com/Messages/2724889/program-with-an-incorrect-format.aspx">program with an incorrect format</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=1676320">Jfergus</a></td><td class="date">15-Sep-08  14:12&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2724889_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="1676320" msgid="2724889" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">hi there <br>
&nbsp;<br>
here is the message i have when i execute the program<br>
&nbsp;<br>
P:\TCP_Reassembly\TcpReconBin&gt;TcpRecon.exe toto.pcap<br>
An attempt was made to load a program with an incorrect format. (Exception from<br>
HRESULT: 0x8007000B)<br>
&nbsp;<br>
Total reconstruct time: 0.0625 seconds<br>
&nbsp;<br>
I have used wireshark to create my .pcap file, used windump aswell. but still get the same error. what program should i used? is it possible to post me a light .pcap here? <img src="./TCP Session Reconstruction Tool - CodeProject_files/smiley_confused.gif" align="top" alt="Confused | :confused:"> <br>
&nbsp;<br>
thanks<br>
<img src="./TCP Session Reconstruction Tool - CodeProject_files/smiley_confused.gif" align="top" alt="Confused | :confused:"> <br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2724889" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2724889/program-with-an-incorrect-format.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2724889" data-ref="3_2724889" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2747819_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="38px" class="indent"><a name="xx2747819xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_answer.gif" alt="Answer"></td><td class="subject hover-container"><a class="message-link" name="2747819" parent="2724889" thread="2724889" href="http://www.codeproject.com/Messages/2747819/Re-program-with-an-incorrect-format.aspx">Re: program with an incorrect format</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602">Saar Yahalom</a></td><td class="date">1-Oct-08  14:36&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2747819_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:38px;"><div class="voteform vertical" ownerid="305602" msgid="2747819" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="38px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,2724889);" href="http://www.codeproject.com/Messages/2724889/program-with-an-incorrect-format.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Can you send me an email with the pcap file ?<br>
&nbsp;<br>
I would take a look on what is wrong ...<br>
&nbsp;<br>
Saar.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2724889" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2747819/Re-program-with-an-incorrect-format.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2747819" data-ref="3_2747819" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2749132_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="56px" class="indent"><a name="xx2749132xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="2749132" parent="2747819" thread="2724889" href="http://www.codeproject.com/Messages/2749132/Re-program-with-an-incorrect-format.aspx">Re: program with an incorrect format</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=1676320">Jfergus</a></td><td class="date">2-Oct-08  13:19&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2749132_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:56px;"><div class="voteform vertical" ownerid="1676320" msgid="2749132" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="56px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,2747819);" href="http://www.codeproject.com/Messages/2747819/Re-program-with-an-incorrect-format.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>hi Saar<br>
&nbsp;<br>
here is the link to the .pcap file<br>
&nbsp;<br>
http://www.ndolle.pwp.blueyonder.co.uk/123.pcap<br>
&nbsp;<br>
<br>
thanks<br>
Fergus<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2724889" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2749132/Re-program-with-an-incorrect-format.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2749132" data-ref="3_2749132" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2720370_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx2720370xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="2720370" parent="0" thread="2720370" href="http://www.codeproject.com/Messages/2720370/Exception-Thrown.aspx">Exception Thrown</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=1342780">Member 1342780</a></td><td class="date">11-Sep-08  14:52&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2720370_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="1342780" msgid="2720370" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">Running against a pcap file generated by wireshark:<br>
&nbsp;<br>
Unhandled Exception: System.InvalidCastException: Unable to cast object of type 'Tamir.IPLib.Packets.EthernetPacket' to type 'Tamir.IPLib.Packets.TCPPacket'.<br>
   at Tamir.IPLib.PcapDevice.PcapCaptureLoop()<br>
   at Tamir.IPLib.PcapDevice.PcapCapture(Int32 packetCount)<br>
   at TcpRecon.Program.ReconSingleFileSharpPcap(String capFile)<br>
   at TcpRecon.Program.Main(String[] args)<br>
&nbsp;<br>
Any ideas?<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2720370" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2720370/Exception-Thrown.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2720370" data-ref="3_2720370" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2720383_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="38px" class="indent"><a name="xx2720383xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="2720383" parent="2720370" thread="2720370" href="http://www.codeproject.com/Messages/2720383/Re-Exception-Thrown.aspx">Re: Exception Thrown</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=1342780">Member 1342780</a></td><td class="date">11-Sep-08  15:18&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2720383_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:38px;"><div class="voteform vertical" ownerid="1342780" msgid="2720383" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="38px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,2720370);" href="http://www.codeproject.com/Messages/2720370/Exception-Thrown.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>duh... I suppressed the file so it only displayed TCP packets, and then resaved the PCAP file.  Works fine, and thanks for a great tool.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2720370" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2720383/Re-Exception-Thrown.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2720383" data-ref="3_2720383" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2716943_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx2716943xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_question.gif" alt="Question"></td><td class="subject hover-container"><a class="message-link" name="2716943" parent="0" thread="2716943" href="http://www.codeproject.com/Messages/2716943/Using-this-with-IP-Works-IpMonitor-component.aspx">Using this with IP*Works' IpMonitor component</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=1058870">meraydin</a></td><td class="date">9-Sep-08  23:51&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2716943_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="1058870" msgid="2716943" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">Hello Saar<br>
&nbsp;<br>
I have licensed IP*works (from nsoftware.com) that has an IPMonitor component for capturing packets without WinPCap. It sends the following as each packet arrives:<br>
&nbsp;<br>
<pre><span class="code-keyword">class</span> IpmonitorIPPacketEventArgs : EventArgs {  
string SourceAddress {get;}  
<span class="code-keyword">int</span> SourcePort {get;}  
string DestinationAddress {get;}  
<span class="code-keyword">int</span> DestinationPort {get;}  
<span class="code-keyword">int</span> IPVersion {get;}  
<span class="code-keyword">int</span> TOS {get;}  
<span class="code-keyword">int</span> Id {get;}  
<span class="code-keyword">int</span> Flags {get;}  
<span class="code-keyword">int</span> Offset {get;}  
<span class="code-keyword">int</span> TTL {get;}  
<span class="code-keyword">int</span> Checksum {get;}  
<span class="code-keyword">int</span> IPProtocol {get;}  
string Payload {get;}  
byte[] PayloadB {get;}
}</pre>
&nbsp;<br>
where<br>
&nbsp;<br>
SourceAddress The IP address of the originating host in IP dotted format.  <br>
DestinationAddress The IP address of the destination host in IP dotted format.  <br>
IPVersion The IP protocol version being used by this packet.  <br>
TOS The type of service being used by this packet.  <br>
Id The packet id used to identify and track packets.  <br>
Flags Flags relating to the status of the packet and desired responses.  <br>
Offset The fragment offset of this packet in relation to larger data.  <br>
TTL The time to live for this packet.  <br>
IPProtocol The IP protocol used in the payload.  <br>
Payload The data field of the IP packet. This field may contain extra IP headers, depending upon the IP protocol used to create it.  <br>
&nbsp;<br>
<br>
Are these fields enough to use with your code? or do I need to install winpcap?<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2716943" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2716943/Using-this-with-IP-Works-IpMonitor-component.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2716943" data-ref="3_2716943" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2747817_h0" class="header hover-row">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="38px" class="indent"><a name="xx2747817xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_answer.gif" alt="Answer"></td><td class="subject hover-container"><a class="message-link" name="2747817" parent="2716943" thread="2716943" href="http://www.codeproject.com/Messages/2747817/Re-Using-this-with-IP-Works-IpMonitor-component.aspx">Re: Using this with IP*Works' IpMonitor component</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=305602">Saar Yahalom</a></td><td class="date">1-Oct-08  14:34&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2747817_h1" class="content selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:38px;"><div class="voteform vertical" ownerid="305602" msgid="2747817" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="38px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2"><div class="parent"><a rel="nofollow" onclick="return SwitchMessage(null,2716943);" href="http://www.codeproject.com/Messages/2716943/Using-this-with-IP-Works-IpMonitor-component.aspx"><img src="./TCP Session Reconstruction Tool - CodeProject_files/arrow-up24.png" title="Go to Parent" style="width:16px;height:16px;border:0"></a></div>Hi,<br>
&nbsp;<br>
The data you have is enough to perform the reconstruction. But you need to remove the Winpcap stuff from the project. I only rely on it in order to get the payload data which you already have.<br>
&nbsp;<br>
Good luck,<br>
Saar.<br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2716943" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2747817/Re-Using-this-with-IP-Works-IpMonitor-component.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2747817" data-ref="3_2747817" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2600143_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx2600143xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="2600143" parent="0" thread="2600143" href="http://www.codeproject.com/Messages/2600143/Cant-download-the-source-files.aspx">Cant download the source files</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=2329203">Lynn Phua</a></td><td class="date">16-Jun-08  18:35&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2600143_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="2329203" msgid="2600143" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">Is the link broken?? <br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2600143" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2600143/Cant-download-the-source-files.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2600143" data-ref="3_2600143" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr id="F2355303_h0" class="header hover-row root">
<td class="subject-line normal " width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td width="20px" class="indent"><a name="xx2355303xx"></a><img height="16px" width="16px" align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" alt="General"></td><td class="subject hover-container"><a class="message-link" name="2355303" parent="0" thread="2355303" href="http://www.codeproject.com/Messages/2355303/Interesting-article-but-download-links-are-broken.aspx">Interesting article, but download links are broken!</a> <a onclick="return Pin(this);" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool#" title="Click to pin message"><img src="./TCP Session Reconstruction Tool - CodeProject_files/pin.png" border="0" align="top" alt="Pin" width="13px" height="13px"></a></td><td class="icon"><img border="0" src="./TCP Session Reconstruction Tool - CodeProject_files/icn-member-16.gif" title="member" alt="member" height="16px"></td><td class="author"><a href="http://www.codeproject.com/script/Membership/View.aspx?mid=2026672">kogsod</a></td><td class="date">12-Dec-07  8:54&nbsp;</td>
</tr>
</tbody></table></td>
</tr><tr id="F2355303_h1" class="content root selected" style="display:none;">
<td class="normal" width="100%"><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr valign="top">
<td class="indent align-right" style="width:20px;"><div class="voteform vertical" ownerid="2026672" msgid="2355303" votingtype="GoodOrBad">

</div><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" height="1px" width="20px" alt=""></td><td class="text"><table border="0" cellpadding="0" cellspacing="5px" width="100%">
<tbody><tr>
<td><table border="0" cellpadding="0" cellspacing="0" width="100%">
<tbody><tr>
<td colspan="2">Please fix the links <br></td>
</tr><tr class="footer" style="vertical-align:top;">
<td><a href="http://www.codeproject.com/script/Membership/LogOn.aspx?rp=%2fArticles%2f20501%2fTCP-Session-Reconstruction-Tool">Sign In</a>·<wbr><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&sort=Position&spc=Relaxed&tid=2355303" title="View Thread">View&nbsp;Thread</a>·<wbr><a href="http://www.codeproject.com/Messages/2355303/Interesting-article-but-download-links-are-broken.aspx" title="Get permanent link">Permalink</a></td><td style="text-align:right;"><span id="MVF2355303" data-ref="3_2355303" class="rating-label" style="white-space:nowrap;"></span></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table></td>
</tr><tr>
<td><img src="./TCP Session Reconstruction Tool - CodeProject_files/t(1).gif" border="0" width="1px" height="5px" alt=""></td>
</tr><tr>
<td><table width="100%" cellpadding="2px" cellspacing="0">
<tbody><tr class="footer">
<td>Last Visit: 31-Dec-99  19:00 &nbsp; &nbsp; Last Update: 9-Feb-15  0:34</td><td><a href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&noise=3&prof=False&sort=Position&view=Normal&spc=Relaxed">Refresh</a></td><td style="text-align:right;white-space:nowrap;"><input id="_mbnUrl" type="hidden" value="/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&amp;df=90&amp;mpp=25&amp;noise=3&amp;prof=False&amp;sort=Position&amp;view=Normal&amp;spc=Relaxed&amp;fr=26"><span class="nav-link selected">1</span><a class="nav-link" name="Frm_HoverNL" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&noise=3&prof=False&sort=Position&view=Normal&spc=Relaxed&fr=26#xx0xx">2</a> <a class="nav-link" name="Frm_HoverNL" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?fid=459722&df=90&mpp=25&noise=3&prof=False&sort=Position&view=Normal&spc=Relaxed&fr=26#xx0xx">Next »</a></td>
</tr>
</tbody></table></td>
</tr>
</tbody></table>
</div><p class="small-text"><img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_general.gif" width="16px" height="16px" alt="General"> General &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_news.gif" width="16px" height="16px" alt="News"> News &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_idea.gif" width="16px" height="16px" alt="Suggestion"> Suggestion &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_question.gif" width="16px" height="16px" alt="Question"> Question &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_bug.gif" width="16px" height="16px" alt="Bug"> Bug &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_answer.gif" width="16px" height="16px" alt="Answer"> Answer &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_joke.gif" width="16px" height="16px" alt="Joke"> Joke &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_rant.gif" width="16px" height="16px" alt="Rant"> Rant &nbsp;&nbsp; <img align="top" src="./TCP Session Reconstruction Tool - CodeProject_files/msg_admin.gif" width="16px" height="16px" alt="Admin"> Admin &nbsp;&nbsp; </p><p class="small-text">Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.</p>
				

			</div>
			
		</td>
		<td width="170px">
			<div id="ctl00_RightSideBar" class="container-article-info">

    			

<div class="header">Info</div>
<div class="article-summary">

<a id="ctl00_InfoBox_ParentLink"></a>

<table cellpadding="0" cellspacing="0" class="article-info">

    

    
	

	
	

	

	

	

	<tbody><tr><td>First Posted&nbsp;</td><td nowrap="nowrap" class="value"><span itemprop="datePublished" content="2007-09-14">14 Sep 2007</span></td></tr>

	<tr><td>Views&nbsp;</td><td class="value">93,024</td></tr>

	
	<tr><td>Downloads&nbsp;</td><td class="value">6,268</td></tr>
		

	
	<tr><td>Bookmarked&nbsp;</td><td class="value">67 times</td></tr>
	

	

	

    

	<tr><td colspan="2"></td></tr>
	
	
</tbody></table>
</div>

                <div id="RHSticky" class="container-article-info-sticky" style="position: static; top: 407px; left: 1023.5px;">
				    

                    
                    <div class="padded-top">
                        
	<h4 id="ctl00_RelatedLibrary_RelatedResults_ctl00_header" class="header">Research</h4>
	<div class="research content-list clearfix">	
	
	<div class="content-list-item clearfix">
		<div class="thumbnail"><img id="ctl00_RelatedLibrary_RelatedResults_ctl01_Thumb" src="./TCP Session Reconstruction Tool - CodeProject_files/LibraryItemThumbnail_104_100x130.png" style="border-width:0px;"></div>
        <div class="text">
            <a id="ctl00_RelatedLibrary_RelatedResults_ctl01_Link" class="title" href="http://www.codeproject.com/ResearchLibrary/104/Why-Your-Developers-Need-More-Training">Why Your Developers Need More Training</a>
		    
        </div>
	</div>
	
	</div>
	

                    </div>

				    <div style="width:160px;margin: 10px auto;">
					    <div class="msg-160x600" data-format="160x600" data-type="ad" data-publisher="lqm.codeproject.site" data-zone="General-Programming/Internet-Network/Utilities" data-tags="VC8.0, .NET2.0, VS2005, C#2.0, C++/CLI, Windows, Dev, Intermediate,rating4.5"><noscript>&lt;a href="http://ad.doubleclick.net/N6839/jump/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=160x600;ord=635590748422296729?"&gt;&lt;img src="http://ad.doubleclick.net/N6839/ad/lqm.codeproject.site/General-Programming/Internet-Network/Utilities;sz=160x600;ord=635590748422296729?"  width="160px" height="600px" /&gt;&lt;/a&gt;</noscript></div>
				    </div>

				    

				    

				    
				</div>

			</div>
		</td>
		</tr></tbody></table>

		
		<div class="theme1-background" style="height:2px" id="stickyStop"></div>

		<div class="extended tiny-text">
			<div class="row">
				<div class="float-left">
					<a id="ctl00_PermaLink" itemprop="url" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool">Permalink</a> | 
					<a id="ctl00_AdvertiseLink" href="http://developermedia.com/">Advertise </a> |
					<a id="ctl00_PrivacyLink" href="http://www.codeproject.com/info/privacy.aspx">Privacy</a> |
                    <a id="ctl00_TermsOfUseLink" href="http://www.codeproject.com/info/TermsOfUse.aspx">Terms of Use</a> |
					<a id="ctl00_Mobile" rel="nofollow" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?display=Mobile">Mobile</a>
					<br>
								
					
					Web02 |
					2.8.150205.1 |
					Last Updated 22 Sep 2007								
				</div>

                <div id="ctl00_GoogleTranslate" class="translate float-left"></div>      

				<div class="float-right align-right">
					Article Copyright 2007 by Saar Yahalom<br>Everything else
					Copyright © <a href="mailto:webmaster@codeproject.com">CodeProject</a>, 1999-2015 <br>
				</div>

				


<div class="page-width">
Layout: <a id="ctl00_PageWidth_FixedT" title="Fixed width layout" rel="nofollow" class=" active" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?PageFlow=FixedWidth">fixed</a>
|
<a id="ctl00_PageWidth_FluidT" title="Fluid layout" rel="nofollow" href="http://www.codeproject.com/Articles/20501/TCP-Session-Reconstruction-Tool?PageFlow=Fluid">fluid</a>
</div>



			</div>
		</div>
		

		<br clear="all">
		
			

	</div> 
	</div>
</div>


<div style="display:none;" id="dm_AdTable">
	
</div>
<img id="ctl00_Audience" src="http://pubads.g.doubleclick.net/activity;dc_iu=/6839/DFPAudiencePixel;ord='635590748392656677';dc_seg=33705490?" style="border-width: 0px; height: 1px; width: 1px; display: none !important; visibility: hidden !important; opacity: 0 !important; background-position: 0px 0px;" width="0" height="0">



<script type="text/javascript" language="Javascript" src="./TCP Session Reconstruction Tool - CodeProject_files/jquery.min.js"></script><script type="text/javascript">//<![CDATA[
if (typeof jQuery == 'undefined') {
    document.write(unescape("%3Cscript src='/script/JS/jquery-1.6.2.min.js' type='text/javascript' %3E%3C/script%3E"));
}//]]></script>
<script type="text/javascript" language="Javascript" src="./TCP Session Reconstruction Tool - CodeProject_files/article.js"></script>
<script type="text/javascript" language="Javascript" src="./TCP Session Reconstruction Tool - CodeProject_files/element.js"></script>
<script type="text/javascript" language="Javascript" src="./TCP Session Reconstruction Tool - CodeProject_files/navbar.js"></script>
<script type="text/javascript" language="Javascript" src="./TCP Session Reconstruction Tool - CodeProject_files/Notifications.js"></script>
<script type="text/javascript" language="Javascript">//<![CDATA[
function googleTranslateElementInit() {  new google.translate.TranslateElement({   pageLanguage: 'en',   layout: google.translate.TranslateElement.InlineLayout.SIMPLE,   autoDisplay: false,   gaTrack: true,   gaId: 'UA-1735123-1'},  'ctl00_GoogleTranslate');}
$(document).ready(function() { anchorAnimate();
$('#RHSticky').sticky($('#stickyStop'));
$('#ctl00_Nav').sticky($('#stickyStop'));
});
$(function() {
                                            var $downloads =  $('ul.download');
                                            $downloads.addClass('float-left')
                                                        .wrap('<div class="row"></div>');
                                            $downloads.after('<div class="float-left" style="margin-top:25px;margin-left:30px"><div data-format="1x11" data-type="ad" data-publisher="lqm.codeproject.site" data-zone="downloadlink" data-tags="vc8.0%2c.net2.0%2cvs2005%2cc%232.0%2cc%2b%2b%2fcli%2cwindows%2cdev%2cintermediate"></div></div>');
                                    });
$(function ()
                {
                    $('.oauth').click(function () {
                        $this = $(this);
                        href = $this.attr('href');
                        var myWindow = window.open(href, 'popup',
                                    'width=800,height=600,location=0,menubar=0,resizeable=0,scrollbars=0,toolbar=0');
                        myWindow.focus();
                        var timer = setInterval(function () {
                                        if (myWindow.closed) {
                                            clearInterval(timer);
                                            // window.location.reload(); // May do a POST reload, shows a warning
                                            window.location = window.location; // force a GET reload
                                        }
                                    }, 200);
                        return false;
                    });
                });
var oSrchFlt = false, oSrchBox=false,srchBoxFoc=false;
$(document).ready(function() {
 if(InitWatermark)InitWatermark('sb_tb', 'Search for articles, questions, tips');
 var sbar = $('#sb_tb'); 
 var sfilter = $('#SearchFilter');
 if (sbar && sfilter) {
  sfilter.removeClass('popup'); sfilter.hide(); sfilter.removeClass('open');
  sbar.blur(function() {
 if (!oSrchFlt) {sfilter.hide(); sfilter.removeClass('open');}
 srchBoxFoc=false;
 });
  sbar.focus(function() {
 oSrchFlt=false; srchBoxFoc=true;
 sfilter.show(); sfilter.addClass('open');
 });
  sbar.mouseleave(function() { oSrchBox=false; });
  sbar.mouseover(function() { oSrchBox=true; });
  sfilter.mouseleave(function() { oSrchFlt=false; if (!srchBoxFoc&&!oSrchBox) { sfilter.hide(); sfilter.removeClass('open'); }});
  sfilter.mouseover(function() { oSrchFlt=true; });
 }
});
$('#clear-rate_ctl00_RateArticle_RSU').click(function () {    $('#ctl00_RateArticle_RSU').hide(); return false;});$("#ctl00_RateArticle_RateItemWrapper")   .removeClass("container-rating")   .hover( function() { $('#ctl00_RateArticle_RSU').fadeIn('fast'); },            function() { $('#ctl00_RateArticle_RSU').fadeOut('fast'); } );
function PostBack_ctl00_RateArticle_RateItemWrapper() {
  return rateItem(20501,2,1,true,true,3,'LargeStars');
}

                        function getVotesHistogram(objectId, objectTypeId, containerId, loadingId) {
                            if (!$('#' + containerId).attr('alreadyRequested')){
                                $.ajax({
                                    url: '/script/Ratings/Ajax/Histogram.aspx?obid=' + objectId + '&obtid='+objectTypeId,
                                    success: function (data) {
                                        $('#' + containerId).html(data);
                                        $('#' + loadingId).hide();
                                    }
                                });
                                $('#' + containerId).attr('alreadyRequested', 'true');
                            }
                        }
$(document).ready(function() {   new starRating('#ctl00_RateArticle_VoteFormDiv', PostBack_ctl00_RateArticle_RateItemWrapper,'ctl00_RateArticle');
  $('#ctl00_RateArticle_RB').mouseenter(function() {     getVotesHistogram(20501,2   ,'ctl00_RateArticle_Histogram','ctl00_RateArticle_Loading');  })})
$(document).ready(function() { $('#ctl00_RateArticle_SubmitRateBtn').hide(); });
$(document).ready(function() { $('#ctl00_RateArticle_SubmitRateBtn').hide(); });function ChkRtctl00_RateArticle(){}

forumDir = '/script/Forums/';
staticServer = '//dj9okeyxktdvd.cloudfront.net';
allowReporting = false;
allowRating = false;
allowRatingDisplay = true;
var smoothScroll = true;
Selected        = -1;
oldTitle        = document.title;
minMessageScore = 1;
minMessageScore = 5;
abuseScore      = -2;
spamScore       = -1;
getRatingUrl    = '/script/Ratings/Ajax/GetRatings.aspx';
noiseThreshold  = 3;
getRatingRefKey = 'obrs';


//]]>
</script>



<canvas id="cv1" width="1px" height="1px" style="position:absolute;left:0;top:0;pointer-events:none"></canvas><canvas id="cv2" width="1px" height="1px" style="position:absolute;left:0;top:0;pointer-events:none"></canvas><div id="yddWrapper" style="left: 493px; top: 909px; position: absolute;"><div id="yddContainer" align="left" style="padding:0px 0px 0px 0px;">    <div id="yddTop" class="ydd-sp"><div id="yddTopBorderlr"><a href="http://dict.youdao.com/search?q=libnids&keyfrom=chrome.extension" title="查看完整释义" class="ydd-sp ydd-icon" style="padding:0px 0px 0px 0px;padding-top:17px;" target="_blank"></a> <a href="http://dict.youdao.com/search?q=libnids&keyfrom=chrome.extension" target="_blank" title="查看完整释义" id="yddKeyTitle">libnids</a>&nbsp;<span style="font-weight:normal;font-size:10px;"></span><span style="float:right;font-weight:normal;font-size:10px"><a href="http://www.youdao.com/search?q=libnids&ue=utf8&keyfrom=chrome.extension" target="_blank">详细</a></span><a id="test"><span class="ydd-sp ydd-close">X</span></a></div></div>    <div id="yddMiddle">&nbsp;&nbsp;没有英汉互译结果<br>&nbsp;&nbsp;<a href="http://www.youdao.com/search?q=libnids&ue=utf8&keyfrom=chrome.extension" target="_blank">请尝试网页搜索</a>   </div>  </div></div></body></html>